Edit tour

Windows Analysis Report
Personnel department Ingress Profit Compensation, Charitable Language unit.eml

Overview

General Information

Sample name:	Personnel department Ingress Profit Compensation, Charitable Language unit.eml
Analysis ID:	1446963
MD5:	ef29a23d7cc7ce376413e22fcb8d7ceb
SHA1:	cae8c056a68f65b049140a6bb354d243436c7879
SHA256:	44934bfadb1c22fd6536d55f14346a70e8d2ad113666eaca70f985af00461058
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected e-Mail

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Outlook Security Settings Updated - Registry

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 6436 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Personnel department Ingress Profit Compensation, Charitable Language unit.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6928 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "58B80DC9-B478-48F3-89DB-685016573180" "A2587449-4586-444C-A9CA-82CEA3D3FCE0" "6436" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Outlook Security Settings Updated - Registry

Source: Registry Key set

Author: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WZ1KQIUC\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.office.net
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://api.scheduler.
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://augloop.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://cdn.entity.
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://cortana.ai
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://cr.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://directory.services.
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ecs.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://graph.windows.net
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://invites.office.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://login.windows.local
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://management.azure.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://management.azure.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://outlook.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://substrate.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://tasks.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winEML@3/12@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240523T2346360499-6436.etl

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Personnel department Ingress Profit Compensation, Charitable Language unit.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "58B80DC9-B478-48F3-89DB-685016573180" "A2587449-4586-444C-A9CA-82CEA3D3FCE0" "6436" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "58B80DC9-B478-48F3-89DB-685016573180" "A2587449-4586-444C-A9CA-82CEA3D3FCE0" "6436" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected e-Mail

Source: e-Mail

LLM: Score: 8 Reasons: The email contains attachments with generic names that could potentially be malicious. The sender's email address appears suspicious and not related to any known organization. The email text is vague and lacks specific details, which is a common trait in phishing attempts.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Personnel department Ingress Profit Compensation, Charitable Language unit.eml	Binary or memory string: dGl0eS1VQ1MgZGVmCi9DTWFwVHlwZSAyIGRlZgoxIGJlZ2luY29kZXNwYWNlcmFuZ2UKPDAwMDA+
Source: Personnel department Ingress Profit Compensation, Charitable Language unit.eml	Binary or memory string: ZGVmCi9DTWFwTmFtZSAvQWRvYmUtSWRlbnRpdHktVUNTIGRlZgovQ01hcFR5cGUgMiBkZWYKMSBi

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Personnel department Ingress Profit Compensation, Charitable Language unit.eml	0%	Virustotal		Browse

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://api.microsoftstream.com/api/	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://otelrules.svc.static.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://outlook.office.com/autosuggest/api/v1/init?cvid=	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://login.microsoftonline.com/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/connectors	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://cdn.entity.	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	Avira URL Cloud: safe	unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://globaldisco.crm.dynamics.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://d.docs.live.net	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://safelinks.protection.outlook.com/api/GetPolicy	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://api.office.net	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnostics.office.com	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com/search/api/v2/init	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	URL Reputation: safe	unknown
https://storage.live.com/clientlogs/uploadlocation	598A14C7-5897-4DE1-A283-849BA772C6D9.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446963
Start date and time:	2024-05-24 05:45:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Personnel department Ingress Profit Compensation, Charitable Language unit.eml
Detection:	SUS
Classification:	sus21.winEML@3/12@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 20.44.10.123
Excluded domains from analysis (whitelisted): ecs.office.com, client.wns.windows.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, weu-azsc-config.officeapps.live.com, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, onedscolprdcus05.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Input	Output
URL: e-Mail Model: gpt-4o	```json { "riskscore": 8, "reasons": "The email contains attachments with generic names that could potentially be malicious. The sender's email address appears suspicious and not related to any known organization. The email text is vague and lacks specific details, which is a common trait in phishing attempts." }

URL: e-Mail Model: gpt-4o

```json
{
  "riskscore": 8,
  "reasons": "The email contains attachments with generic names that could potentially be malicious. The sender's email address appears suspicious and not related to any known organization. The email text is vague and lacks specific details, which is a common trait in phishing attempts."
}

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.394487180905309
Encrypted:	false
SSDEEP:	1536:PoYLK/gsq/gZ2MzGFgs5TNcAz79ysQqt22pWmqoQixrcm0FvZnNyHLIvUH43H5it:D+gURQgqmiGu2wqoQMrt0FvWk8YphtxI
MD5:	15DC32F4BF2D628FAAA0EF95F8B16F93
SHA1:	B4E4ADF2250573B33818FE558F5292342E6C5721
SHA-256:	975FBA0463D3113BE3F56DBC838A1AF818B1A4138D267C07F4D8BE130F8A0660
SHA-512:	645CD7BEA975919764E555485527885F118B1E833365F69D5C7AA2EC47AC20E06CA3FCE07300F13C06BC6BA5B0583F66899DA756BD1953B1301629F24DD9E87E
Malicious:	false
Reputation:	low
Preview:	TH02...... ..Y..........SM01X...,...................IPM.Activity...........h...............h............H..h..........x...h.........0;.H..h\eng ...r\Ap...h..>.0...H......hV.N...D........h........_`>j...h*.N.@...I.6w...h....H...8.Cj...0....T...............d.........2h...............k..............!h.............. h..[W....`.....#h....8.........$h.0;.....8....."h(+G......+G...'h..,...........1hV.N.<.........0h....4....Cj../h....h.....CjH..h@.D.p........-h .............+h.N................ ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\598A14C7-5897-4DE1-A283-849BA772C6D9

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	167135
Entropy (8bit):	5.340521422954716
Encrypted:	false
SSDEEP:	1536:6+C7FPgOsB3U9guwwJQ9DQA+zqzhQok4F77nXmvYd8XRPEwreOR6Y:3IQ9DQA+zqzYXuMT
MD5:	F5327EAD48198E0C60283FAFA32ACB5C
SHA1:	0B5A534800EE275C33413B200E23C08CAFFF8E71
SHA-256:	EEDF2490D2F6E9EB97629BD80C678E056774B19917E4B76AD624BF57CFD3CE88
SHA-512:	BD584080F2C86152711E7FB669292EFD02DCB7868710B4FE1A80CD6B196CA66F5FF0B0D4ACBD9FA8C1AE9A4E58E070EA0AEBA6B2474BD4828605E3904C882E6E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-05-24T03:46:39">.. Build: 16.0.17707.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04595739460260245
Encrypted:	false
SSDEEP:	3:Gtlxtjl929mmd941lxtjl929mmdlXl1R9//8l1lvlll1lllwlvlllglbelDbllAC:GtMr/41MrnXt9X01PH4l942wU
MD5:	E09379C9A6C1540A80933BFFDD8DA4FF
SHA1:	49917C9BE099A63FA1FE2E95410CCC68B8317ED8
SHA-256:	97FE71D15BCB0A7B4CDC17CE011056FD1F80D100C033323FEFCBA36FDFC6B667
SHA-512:	48F077027F37575818F1C7876A3C35F1C00A9B2E29C27BBD1A9E199DE0C1226E398797E58EFC9287B1626CEB1D30F4B9E769E95C1593D57F29CFE31192AC4CB7
Malicious:	false
Reputation:	low
Preview:	..-.....................8.`C..z.)....h.'I.Cr%....-.....................8.`C..z.)....h.'I.Cr%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.4841820083447282
Encrypted:	false
SSDEEP:	48:ECQ1pmqUll7DYMAzO8VFDYMJBO8VFDYML:akll4vjVGkjVGC
MD5:	217BE4ECC9885AE5D66E6DC2A738DB36
SHA1:	4D5D36A16694031A35AA997E5F4CEC4F38955900
SHA-256:	BEB0875F89B28AC4E1838E77ED0FB75708BBC0BF3810A40434A52D0FF3591832
SHA-512:	E45AD741BD85CEDAA37E058668BC4221253BE195328118414A563CC0A0C7D3E9BCCE7990ADDA6610BCC81C1ECE8B6C11C366896F57C59F378D95A474EFEA88BB
Malicious:	false
Reputation:	low
Preview:	7....-...........)....h...,..+..........)....h.1.%... SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WZ1KQIUC\HgLbIvrb.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	PNG image data, 784 x 584, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	35889
Entropy (8bit):	7.904106440904506
Encrypted:	false
SSDEEP:	768:k1005cC7+ZWAkBlfiAs5YjtTWMbernb1128xu:k205cbW9UA2CTWMqr3Jxu
MD5:	BF7966153F19EA636E22748FE3DB4E81
SHA1:	6581DBD75F16B1647C44D6D864A607584FF2F8E3
SHA-256:	B66B729D58E634DA91EF6F126165A29FED023DC05BC95D9B0D535A3CEF4608CE
SHA-512:	EC57180A1F4F514595B47A5DD6FCF9D0768B65406D37510B8EE877F6052F6D932962C7D4B8F72E2C6F56223AF8FAE2F695F81F95222CC96545A26595A7476CAF
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.......H......S......sRGB....... .IDATx...{\|T.....$!....(...m..i5.....).J.n.5V*uW...I..F......Q..W.}....I..WqWc.N.....A...i-h..I[.(A.p..dr........$.......G.Y..w}.w.....e..~...........;."""""2y(.........@......e. DDDDD.2.."""""b.........L.......X.1.....x..N........s.RPP0.....!""""".).........@......e. DDDDD.2.."""""b.........L.......X..BDDDDD,S.!""""".).........@......e. DDDDD.2.."""""b.........L.......X..BDDDDD,S.!""""".).........@......e. DDDDD.2.."""""bY.x'@DDDd....}.....~...........M......\X..p>....f..1...,./.....w.>.......9...q.K.]....?.....gf.\|.2>.@.....H...."......[.?.9.3g..%.}..,.YY.......9.....`..O:....:E.SL9\|....?-..V...G..et~i9.i..%}.:. DDDDb...k\|...?...g......[W.i]]Li?B^.K.\r1./_L..J\|......n...v..Y.G..O2{./9.wN:.Y..h!..).>....""""1......#....X..K.......6:.-...W.7g.J.J.."..Urw5q.K..t3.3gM..5. DDDD..O..'~JZW.x'e.l...m.......9.....w..l....lb.[or.k+9...j..D.@......N.b...c2>.8.2..\..........ig.H..$....;;I..,u.J?y..W^f.......^..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WZ1KQIUC\HgLbIvrb.png:Zone.Identifier

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1716522396736665500_E590A01A-0FE1-4ED2-BEBD-CDFA1CCF2DD4.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28764), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.15927084912424366
Encrypted:	false
SSDEEP:	1536:iwkUxrwETfig4SE7LekRVJazfcMhO2lnObtmEj9DR53SqJScBEGE:LrZeg47g7d7D
MD5:	BB13C54F998BE8B0CBC61B3477E3A9A7
SHA1:	53F9B0D8D4F09C57E558026DA76C204297B50997
SHA-256:	87C35DD0E773988376D0E8D367BE88179D31E01388178A6A07845FAAB3423112
SHA-512:	9BA92DA9D373DB89FAA11D1A9866670CC47065826645D651717BF534BB4AB2DF3C1E8D4A9309B37A5C3F9A26A3487B06D3003C12D937A4245DC81C499F4EF178
Malicious:	false
Reputation:	low
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..05/24/2024 03:46:36.952.OUTLOOK (0x1924).0x10F4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-05-24T03:46:36.952Z","Contract":"Office.System.Activity","Activity.CV":"GqCQ5eEP0k6+vc36HM8t1A.4.9","Activity.Duration":15,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...05/24/2024 03:46:36.968.OUTLOOK (0x1924).0x10F4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-05-24T03:46:36.968Z","Contract":"Office.System.Activity","Activity.CV":"GqCQ5eEP0k6+vc36HM8t1A.4.10","Activity.Duration":11666,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1716522396742160900_E590A01A-0FE1-4ED2-BEBD-CDFA1CCF2DD4.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240523T2346360499-6436.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	4.521351020034253
Encrypted:	false
SSDEEP:	768:W07yCPX1X8FSwdQBD4c3yK9CWjm1q6TR2uxUPXvZ2PgWteCW0WIWQ:eW4c3yK9CW6/ToxPXx+IW
MD5:	C755011D8D877E81A464EDF4CC5080C3
SHA1:	EF984CB5257EB746C3AD1F8532C21BBB4B3CD9F1
SHA-256:	4FCE7ACC4DD85D38286301E9A4F50FCF355FB71EB76174FBA44329228609BBCC
SHA-512:	D17E74DD5959FE556335739ACC4EFD7FC299489CB6218B65738495E8608DCA4F109078DF8570F93BA70010B77FF1FB669F04ADDA5EA60C08636748C95AA66C76
Malicious:	false
Reputation:	low
Preview:	............................................................................h.......$..........................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................L..........................v.2._.O.U.T.L.O.O.K.:.1.9.2.4.:.9.3.f.f.f.3.7.4.3.8.7.f.4.c.7.e.9.a.c.5.a.8.c.e.b.b.4.3.6.a.c.6...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.5.2.3.T.2.3.4.6.3.6.0.4.9.9.-.6.4.3.6...e.t.l.......P.P.....$.....*.....................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:5Zlzlt:Zzl
MD5:	729A49B6A571F4DC6792D51EC6D871DC
SHA1:	94BF42AC746D8D31462DE8F98833A289BD8048CD
SHA-256:	0B000300E7EDF20140FDD49DC21E8AF249B3D84F3D04561B5DD3EBBF171E8B93
SHA-512:	C492BD9B317DB37A70DA2D0446512E0D00CE56C16F2EAC58850B5FDD1C96D5852DE4FAFA5FC32E46887ECD16EE54D351FB3AFE1981A15B937E3B5669083DC96E
Malicious:	false
Preview:	.....[........................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	5.378800984299379
Encrypted:	false
SSDEEP:	3072:e6L7HTgTuQU79y0EjMkxV58oFFusZTuSs/qaYWk0+e4Lp92kkp9:FvEuQURM7iCPySYq9Ljk
MD5:	2B1A3D60CEEAFB7B923D36BEED6103CD
SHA1:	AE398AEE6FEBDD58A08C5424375DC636C733C110
SHA-256:	440236CD46D0AD0F6064434188629319A886BCC1657FB056326A2CB2BC972031
SHA-512:	0F8C1ED501FB6A9715FA15CDBEB8037BA166C09C3A4F850BD7EA62D7914962E5DAE2B4C476D9E8017D994AAC05E606A7EBE039C1EF9A04EA2A0ACC9C71591775
Malicious:	false
Preview:	!BDN...SM......\....T..................]................@...........@...@...................................@...........................................................................$.......D.......R...................................................................................................................................................................................................................................................................................................................................\|.q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	4.92079260924927
Encrypted:	false
SSDEEP:	3072:aNp9HWHTTWuQUM9ykk0+l8oFhKsZTuHsoqawFp96OI:aNWSuQUA3CvyHbqNqV
MD5:	5E3AD76F5829719141143214809FD45E
SHA1:	E01EF13A68CB7FFA28FBF7E4C073FE8A8FF8E80A
SHA-256:	E009461A2CEB8E9DC5E9068A0D768F03F4903E5F13E2CC9E07C155E3E1D7EC78
SHA-512:	3FFDE6CA95BA2E58F6B60E31B9996206D7AE78787CF1FBCEA52356C985E9E4E75078205A55E049B928645A764F5D26EC3CC488B9BF3DE56D84580DA3D9A0F801
Malicious:	false
Preview:	q.{9C...z.......$...r-........................#.!BDN...SM......\....T..................]................@...........@...@...................................@...........................................................................$.......D.......R...................................................................................................................................................................................................................................................................................................................................\|.q..r-...........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (1156), with CRLF line terminators
Entropy (8bit):	6.075801851120081
TrID:
File name:	Personnel department Ingress Profit Compensation, Charitable Language unit.eml
File size:	139'370 bytes
MD5:	ef29a23d7cc7ce376413e22fcb8d7ceb
SHA1:	cae8c056a68f65b049140a6bb354d243436c7879
SHA256:	44934bfadb1c22fd6536d55f14346a70e8d2ad113666eaca70f985af00461058
SHA512:	18be2737f34bcd60f053bd3f7194f233db137bb34a1ad004b6333c2909010cf938d527c10abf3605a0c98b3f4beb10c76c219c6fc9e31d652050ba3191d5395a
SSDEEP:	3072:cPLpW6eoV1DUSSu9jNC2agxAIqRB5d+08oCK6BjwlUnFNp:cPLpW6eovUs9jNCaxsRB7+08C6Bjwan1
TLSH:	EED3F1338C636CA5A74096ABF6077C425CF73C53299780E492AC45E05DE83EAD69CD3E
File Content Preview:	Arc-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;.. b=EyavgSStFVDzm5usc1mg+uGGLCVgzz59gItNigzHTfEImDN3xLJGGwJBQB1ghtFHVR3jR47yyA/BpnVyDFoqf/mipSf9QyA7Y5ybjIzghoBpgrtexrliH2bWyxw3z5c3mzA3Rqf6qu3IQIIelGGenX6Ge0EKDh8RJV/yJ41p8sTRsYQAg

Static Mail

General

Subject:	Personnel department Ingress Profit Compensation, Charitable Language unit
From:	eSign-Document-Shared-Organization-Internal-Message@frando.nl
To:	Austin Wilde <austin.wilde@nationalmi.com>
Cc:
BCC:
Date:	Thu, 23 May 2024 17:09:44 +0000
Communications:
Attachments:	HgLbIvrb.png eSignature Req#9 for austin.wilde - ADP.pdf

Headers

Key	Value
Arc-Seal	i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i6EFbLmedPXw2SQCaj/cw+8VgZ76A5GX0tBJcUFxpUxzFu9M43OeRRAvNdZ2I92Y6Edsz39DOS1abmlIAJLZ/GY6mSdn6pmJP5xR9Nkvja/stAPU8W9ciIaW2+/q+wFsZPMxELzmjHDt82l3X+B8wDYzpmon4bnemT3JU91dDaI2ql5+IZfqXLtUF335UT2ILOf8m8KPvlfXqydTPQOcopxCMSgvf6NoVyb8neOfCO8GbLMB42VJSp5hRNqfGlaZ7kE7ufrbAHgRanZ9JXiMacWgp4y1Cz5CiP/EM7bvS0ytZ/8DPLKO1pz1eL8gNuSQTqFDo2KU3b8aPuRveP6B3w==
Arc-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CuKuQ1PnZ7bwXz4WI68kS09tlqMvvyVMaN2bZaFKHXc=; b=ILaruBAoo8NDCEBFkP9yj//8rY8ta6QZ8DiBNzXg9P2/vKUNIHm2HCH6tjQTmb/UiUUBbegRpaMN/J9Uwi0nYeYVwZVXd/nJGTjKexQ6IBliraNsJi8AErmHaycbf5c7260w7Uudr5ndCBjglW/W+y/5kVZFLWYfwdLZeJiZBXvkVPAghzgAN14J7w6rzZD508b36adDpT/Zrb7kG48ABL6xwmwIwRzXjNsXjcHJCnPVsbrfh8OWEZtJdHPpQFa+I6db3+sJ8Y3ioqWyNMR7ifuKcbu67Oq4IgKdEEd60zQXrnvVV/lU+Yq9r4eqjnbWyIRj1fbFN1CK/26ZahbWSw==
Arc-Authentication-Results	i=1; mx.microsoft.com 1; spf=fail (sender ip is 51.38.119.233) smtp.rcpttodomain=nationalmi.com smtp.mailfrom=frando.nl; dmarc=fail (p=none sp=none pct=100) action=none header.from=frando.nl; dkim=none (message not signed); arc=none (0)
Received	from [127.0.0.1] (51.38.119.233) by AMS0EPF00000191.mail.protection.outlook.com (10.167.16.216) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7611.14 via Frontend Transport; Thu, 23 May 2024 17:09:44 +0000
Authentication-Results	spf=fail (sender IP is 170.10.152.241) smtp.mailfrom=frando.nl; dkim=pass (signature was verified) header.d=frando.nl;dmarc=pass action=none header.from=frando.nl
Received-Spf	Fail (protection.outlook.com: domain of frando.nl does not designate 170.10.152.241 as permitted sender) receiver=protection.outlook.com; client-ip=170.10.152.241; helo=usb-smtp-inbound-delivery-1.mimecast.com
Authentication-Results-Original	relay.mimecast.com; dkim=pass header.d=frando.nl header.s=selector1 header.b=huzl2J9m; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=frando.nl; spf=pass (relay.mimecast.com: domain of esign-document-shared-organization-internal-message@frando.nl designates 40.107.21.94 as permitted sender) smtp.mailfrom=esign-document-shared-organization-internal-message@frando.nl
X-Mc-Unique	9mVetSbTPSOCPhbvIQ2A_Q-1
Dkim-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=frando.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CuKuQ1PnZ7bwXz4WI68kS09tlqMvvyVMaN2bZaFKHXc=; b=huzl2J9myGS2IgJJa7LuKo9lJIiRQR9iL9MHdThxpFUgntlVb4TigsAo2lbQgRdQaEuiahBvj8Wigb79dX0gv5khrUbJvaUhFvvKASCOijT7+gNTRE71kgxyehC67MSN3u2Rbk02itWy+RzZHKIdwq+0FL2hQ1aGsN4sHZfWvaI=
X-Ms-Exchange-Authentication-Results	spf=fail (sender IP is 51.38.119.233) smtp.mailfrom=frando.nl; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from=frando.nl
From	eSign-Document-Shared-Organization-Internal-Message@frando.nl
To	Austin Wilde <austin.wilde@nationalmi.com>
Subject	Personnel department Ingress Profit Compensation, Charitable Language unit
Message-Id	<f2-1e7f3bed7c-bd4c-cf51-7df9-408712257dba@frando.nl>
Date	Thu, 23 May 2024 17:09:44 +0000
MIME-Version	1.0
Return-Path	esign-document-shared-organization-internal-message@frando.nl
X-Eopattributedmessage	1
X-Ms-Traffictypediagnostic	AMS0EPF00000191:EE_\|DB9PR07MB8895:EE_\|CH3PEPF0000000D:EE_\|IA0PR17MB6417:EE_
X-Ms-Office365-Filtering-Correlation-Id	5e992526-7ac7-43b7-23a8-08dc7b4b397e
X-Ms-Exchange-Senderadcheck	1
X-Ms-Exchange-Antispam-Relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230031\|82310400017\|61400799018\|34020700007\|36860700004\|376005\|36200700002
X-Microsoft-Antispam-Message-Info-Original	q6HsNnd3XYJDI9qepbXHmUOS9PCHDkHjyo/j5FNyaSIpSQsq7izrLCM7D5SpbuRm+LdOzhr7KfoFtvyX5/VN9OqU5XEpqRtt5f/PQVlQEF7/N+enpgByS7PCPtno5hZ+OaXyqxrFqzAjQPPs65VZmQrFop+DZyCeKJW2bPFShMTG1++v6LktkhsY1Hkh8PJ3rG0VNG2Yqyg0DGK5nkY4UbzGQrJm4Ob1l6x67ye0/IOhYgJMogdKRHDUVZhcpES11Nc6a457KTwV71ZAe1TF+pJF9fwwg7QgPG2+yJgdb3NCALs48OJCwJDUqx0SLnTOJGEjwIn74fbYYwFQQcYm3BbWFjz8WJYOHmSczqCnzfCXWp7K/HGzWe36KKPOGTpWcpm8iW7qa1E6nKq2U5rKmZyfIqo8q/AsLCThDwvjF+p9uvYtmGyjcGPzrfMdAuaFwmOC+NbK9jwl25FmuhNPMZVBgu8QFBsVkkWdkcZ6I2d7EY0IZB4M2pocNtTGovg5l9YTeg0bpcJsX4ATwaoQvm7yr/8T6pbgiksX+refzFU4a0BDOgm9popBUJmrQdsQXCWOzWb+xhox2Z1nN8LnyEeMTdvTzsY32t8wmEeT1fVnwU3/Sp9XqTruMLOoA/Wd0mq3rT0llkptl20tndvEn4qw82uVdrt7apbKpwZs/9IHC1b81Zfis46yBaz62SYIl5YB80EwLp+mLHeL2jyuOklStAHzF5sIiWwn+09luB+z0tRkNkvpLbLqBk5XdSM1x3CPK1pFvnJrE+W59SwGVMLVmlFAHKDwKQXfFacfxjTBRRDh1gVW4esnaYecf1OEIo30yrpJDSdk4OJG0+ES4uqckOa1wR1aYiR9elQDA2rQjpZtDe64Urh8M9g5sPrAyfCUlD9kz+6QfqRZiN7XnqinNjOjKzRTuy4bh8YcPZfb6MfgW9+mRcH6Fyh6MyiERAwD2EQv46t8T6gCrh+sNS3kk3ox1Y0HZ4VKtwiib9owFMfuXeSsDg9BIBW+ySt+mtHJss3sWZ5W1D+LRNyTD/VMM/1Y7dnx2jeH16fwtvRLll7iWQnCdwe88nBxS5pxdCpTIpy/3CgCdeLZRA3S1Q==
X-Forefront-Antispam-Report-Untrusted	CIP:51.38.119.233;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:[127.0.0.1];PTR:ip233.ip-51-38-119.eu;CAT:NONE;SFS:(13230031)(82310400017)(61400799018)(34020700007)(36860700004)(376005)(36200700002);DIR:OUT;SFP:1102
X-Ms-Exchange-Transport-Crosstenantheadersstamped	DB9PR07MB8895
X-Mimecast-Spam-Score	0
X-Mimecast-Impersonation-Protect	Policy=Default Impersonation Protect Definition;Similar Internal Domain=false;Similar Monitored External Domain=false;Custom External Domain=false;Mimecast External Domain=false;Newly Observed Domain=false;Internal User Name=false;Custom Display Name List=false;Reply-to Address Mismatch=false;Targeted Threat Dictionary=false;Mimecast Threat Dictionary=false;Custom Threat Dictionary=false
X-Ms-Exchange-Organization-Expirationstarttime	23 May 2024 17:10:19.7099 (UTC)
X-Ms-Exchange-Organization-Expirationstarttimereason	OriginalSubmit
X-Ms-Exchange-Organization-Expirationinterval	1:00:00:00.0000000
X-Ms-Exchange-Organization-Expirationintervalreason	OriginalSubmit
X-Ms-Exchange-Organization-Network-Message-Id	5e992526-7ac7-43b7-23a8-08dc7b4b397e
X-Eoptenantattributedmessage	00ba92eb-b000-4ac1-aa36-470e8b3a6a63:0
X-Ms-Exchange-Organization-Messagedirectionality	Incoming
X-Ms-Exchange-Transport-Crosstenantheadersstripped	CH3PEPF0000000D.namprd04.prod.outlook.com
X-Ms-Publictraffictype	Email
X-Ms-Exchange-Organization-Authsource	CH3PEPF0000000D.namprd04.prod.outlook.com
X-Ms-Exchange-Organization-Authas	Anonymous
X-Ms-Office365-Filtering-Correlation-Id-Prvs	abdad2a9-d41d-40a9-53bd-08dc7b4b24ca
X-Ms-Exchange-Atpmessageproperties	SA\|SL
Content-Type	multipart/mixed; boundary="----sinikael-?=_1-17164842819040.8119355512144208"

File Icon


Icon Hash:	46070c0a8e0c67d6

Target ID:	0
Start time:	23:46:36
Start date:	23/05/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Personnel department Ingress Profit Compensation, Charitable Language unit.eml"
Imagebase:	0xc80000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	23:46:39
Start date:	23/05/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "58B80DC9-B478-48F3-89DB-685016573180" "A2587449-4586-444C-A9CA-82CEA3D3FCE0" "6436" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff698f00000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Personnel department Ingress Profit Compensation, Charitable Language unit.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\598A14C7-5897-4DE1-A283-849BA772C6D9

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WZ1KQIUC\HgLbIvrb.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WZ1KQIUC\HgLbIvrb.png:Zone.Identifier

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1716522396736665500_E590A01A-0FE1-4ED2-BEBD-CDFA1CCF2DD4.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1716522396742160900_E590A01A-0FE1-4ED2-BEBD-CDFA1CCF2DD4.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240523T2346360499-6436.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: OUTLOOK.EXEPID: 6436, Parent PID: 4004

General

Windows Analysis Report
Personnel department Ingress Profit Compensation, Charitable Language unit.eml