Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.eml

Overview

General Information

Sample name:d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.eml
Analysis ID:1447157
MD5:1eee03408eac2c90eba1a9211dc31e23
SHA1:a63865b55853af03cd305b8677e0c047a07d5dc0
SHA256:1f648be074b3aaa43098dad2cc01d2805038ac3b5368779c83febcc768f85916
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 8040 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7208 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6D70339C-63CB-461D-902F-793D673994D0" "89293EB4-1B23-455F-8075-078CBF49BC6C" "8040" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 8040, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: http://pixel.bounceexchange.com/=
Source: ~WRS{8B5C93CF-703A-4D7A-9AFD-7BC9F7764403}.tmp.0.drString found in binary or memory: http://pixel.bounceexchange.com/open.gif?client_id=7215&email=ccasali%40cedarpoint.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.aadrm.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.aadrm.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.cortana.ai
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.office.net
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.onedrive.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://api.scheduler.
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://augloop.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://cdn.entity.
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://clients.config.office.net
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://clients.config.office.net/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://config.edge.skype.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://cortana.ai
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://cortana.ai/api
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://cr.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://d.docs.live.net
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://dev.cortana.ai
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://devnull.onenote.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://directory.services.
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ecs.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://graph.windows.net
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://graph.windows.net/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://ibx2.net/ibx/em/opn/i039KSrgJ9M?x2=3DzQd8qda-XWeI_bDr6Nw_bV=
Source: ~WRS{8B5C93CF-703A-4D7A-9AFD-7BC9F7764403}.tmp.0.drString found in binary or memory: https://ibx2.net/ibx/em/opn/i039KSrgJ9M?x2=zQd8qda-XWeI_bDr6Nw_bVIlgP3zwBDJSJMrWPfVXp_EBHgqXbi_OVY3x
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur60/?x2=
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur60/?x2=3DzQd8qd=
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur60/?x2=3DzQd8qda-XWe=
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur60/?x2=3DzQd8qda-XWeI_bDr=
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://invites.office.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://lifecycle.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://login.windows.local
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://make.powerautomate.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://management.azure.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://management.azure.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://messaging.office.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ncus.contentsync.
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://officeapps.live.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://onedrive.live.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://outlook.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://outlook.office.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://outlook.office365.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://outlook.office365.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://powerlift-user.acompli.net
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://res.cdn.office.net
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://settings.outlook.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://staging.cortana.ai
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://storage.googleapis.com/=
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://storage.googleapis.com/bx-production-coreapi-studio-stati=
Source: ~WRS{8B5C93CF-703A-4D7A-9AFD-7BC9F7764403}.tmp.0.drString found in binary or memory: https://storage.googleapis.com/bx-production-coreapi-studio-static/assets/uploads/clients/7215/image
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://substrate.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://tasks.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://urldefense.co=
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://urldefense.com/v3/__https://ibx2.=
Source: ~WRS{8B5C93CF-703A-4D7A-9AFD-7BC9F7764403}.tmp.0.drString found in binary or memory: https://urldefense.com/v3/__https://ibx2.net/ibx/em/unsub/?x2=zQd8qda-XWeI_bDr6Nw_bVIlgP3zwBDJSJMrWP
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://urldefense.com/v3/__https://ibx2.net/ibx/em/wv/?x2=3DzQd8=
Source: ~WRS{8B5C93CF-703A-4D7A-9AFD-7BC9F7764403}.tmp.0.drString found in binary or memory: https://urldefense.com/v3/__https://ibx2.net/ibx/em/wv/?x2=zQd8qda-XWeI_bDr6Nw_bVIlgP3zwBDJSJMrWPfVX
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://urldefense.com/v3/__https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fh=
Source: ~WRS{8B5C93CF-703A-4D7A-9AFD-7BC9F7764403}.tmp.0.drString found in binary or memory: https://urldefense.com/v3/__https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur60/?x2=zQd8qda-XWeI_bDr6Nw_bV
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://urldefense.com/v3/__https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur=
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://urldefense.com/v3/__https://ibx2.net/ibx/rd2/cp=
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://urldefense.com/v3/__https://ibx2.net/ibx/rd=
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://us-phishalarm-ewt.proofpoint.co=
Source: ~WRS{8B5C93CF-703A-4D7A-9AFD-7BC9F7764403}.tmp.0.drString found in binary or memory: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA
Source: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlString found in binary or memory: https://use.typekit.net/whp4ksz.css
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://wus2.contentsync.
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 270546B2-8E19-4B18-A534-BF27B1244690.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/16@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240524T0846480275-8040.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6D70339C-63CB-461D-902F-793D673994D0" "89293EB4-1B23-455F-8075-078CBF49BC6C" "8040" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6D70339C-63CB-461D-902F-793D673994D0" "89293EB4-1B23-455F-8075-078CBF49BC6C" "8040" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Modify Registry		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1447157 Sample: d71f6b59-eef2-4c6c-ae90-74c... Startdate: 24/05/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 68 134 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://api.microsoftstream.com/api/0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://otelrules.svc.static.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-user.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://outlook.office.com/autosuggest/api/v1/init?cvid=0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://us-phishalarm-ewt.proofpoint.co=0%Avira URL Cloudsafe
https://urldefense.com/v3/__https://ibx2.net/ibx/rd=0%Avira URL Cloudsafe
https://urldefense.co=0%Avira URL Cloudsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
https://use.typekit.net/whp4ksz.css0%Avira URL Cloudsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://ibx2.net/ibx/em/opn/i039KSrgJ9M?x2=3DzQd8qda-XWeI_bDr6Nw_bV=0%Avira URL Cloudsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://urldefense.com/v3/__https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur=0%Avira URL Cloudsafe
https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur60/?x2=3DzQd8qda-XWeI_bDr=0%Avira URL Cloudsafe
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false0%Avira URL Cloudsafe
https://d.docs.live.net0%Avira URL Cloudsafe
https://urldefense.com/v3/__https://ibx2.=0%Avira URL Cloudsafe
https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur60/?x2=0%Avira URL Cloudsafe
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://use.typekit.net/whp4ksz.cssd71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlfalse
  • Avira URL Cloud: safe
unknown
https://shell.suite.office.com:1443270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://us-phishalarm-ewt.proofpoint.co=d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlfalse
  • Avira URL Cloud: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://urldefense.com/v3/__https://ibx2.net/ibx/rd=d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlfalse
  • Avira URL Cloud: safe
unknown
https://outlook.office365.com/connectors270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/query270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.net270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v1270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://cortana.ai270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/imports270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://urldefense.co=d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlfalse
  • Avira URL Cloud: safe
unknown
https://cloudfiles.onenote.com/upload.aspx270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://ibx2.net/ibx/em/opn/i039KSrgJ9M?x2=3DzQd8qda-XWeI_bDr6Nw_bV=d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlfalse
  • Avira URL Cloud: safe
unknown
https://api.aadrm.com/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://cr.office.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • Avira URL Cloud: safe
unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://otelrules.svc.static.microsoft270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://portal.office.com/account/?ref=ClientMeControl270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://edge.skype.com/registrar/prod270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://graph.ppe.windows.net270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://res.getmicrosoftkey.com/api/redemptionevents270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift-user.acompli.net270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://tasks.office.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://officeci.azurewebsites.net/api/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://urldefense.com/v3/__https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur=d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlfalse
  • Avira URL Cloud: safe
unknown
https://api.scheduler.270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://my.microsoftpersonalcontent.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://store.office.cn/addinstemplate270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://edge.skype.com/rps270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://globaldisco.crm.dynamics.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://messaging.engagement.office.com/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://dev0-api.acompli.net/autodetect270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://www.odwebp.svc.ms270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://api.diagnosticssdf.office.com/v2/feedback270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/groups270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur60/?x2=3DzQd8qda-XWeI_bDr=d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlfalse
  • Avira URL Cloud: safe
unknown
https://web.microsoftstream.com/video/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.store.officeppe.com/addinstemplate270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://graph.windows.net270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.o365filtering.com/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://officesetup.getmicrosoftkey.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://analysis.windows.net/powerbi/api270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://prod-global-autodetect.acompli.net/autodetect270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://substrate.office.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/autodiscover/autodiscover.json270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://consent.config.office.com/consentcheckin/v1.0/consents270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://d.docs.live.net270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • Avira URL Cloud: safe
unknown
https://safelinks.protection.outlook.com/api/GetPolicy270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://ncus.contentsync.270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • Avira URL Cloud: safe
unknown
https://ibx2.net/ibx/rd2/cp7u7rkmk15s73fhur60/?x2=d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlfalse
  • Avira URL Cloud: safe
unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
http://weather.service.msn.com/data.aspx270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://apis.live.net/v5.0/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://officepyservice.office.net/service.functionality270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://urldefense.com/v3/__https://ibx2.=d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.emlfalse
  • Avira URL Cloud: safe
unknown
https://templatesmetadata.office.net/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://messaging.lifecycle.office.com/270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://pushchannel.1drv.ms270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://management.azure.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://wus2.contentsync.270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://incidents.diagnostics.office.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/I-gv3HeEIA~WRS{8B5C93CF-703A-4D7A-9AFD-7BC9F7764403}.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown
https://clients.config.office.net/user/v1.0/ios270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://make.powerautomate.com270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/api/addins/search270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/odc/insertmedia270546B2-8E19-4B18-A534-BF27B1244690.0.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1447157
Start date and time:2024-05-24 14:45:32 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 49s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.eml
Detection:CLEAN
Classification:clean1.winEML@3/16@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .eml

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.109.76.243, 52.113.194.132, 2.19.126.160, 2.19.126.151, 20.50.73.11
  • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, onedscolprdneu07.northeurope.cloudapp.azure.com, officeclient.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.eml

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.392403344969657
Encrypted:false
SSDEEP:1536:cxYLAPgshXI+mtj4+qIgsyKNcAz79ysQqt2gl+nUcqoQ/Orcm0FvU8+npysLrVyw:3IgTcggSmiGu2jqoQWrt0FvFItWFz+L
MD5:A3917028643F59FF2083AC652B659750
SHA1:349A1AE387098AB648E05618AAFEEF13F2DD8A4A
SHA-256:65E8ABFAD694CBBE6EBE636535D4DD16C00416054DC27A8D75F64CDC805834AF
SHA-512:1E4E8970487353E40B3D4D680B2B0F899A653D1ED9BEE8CA1EE9313219259B03162930936D45F9F03FB58872E36F0ECB2B1C801040229C3BCF877180490BDF76
Malicious:false
Reputation:low
Preview:TH02...... ..iEe.......SM01X...,....87e...........IPM.Activity...........h...............h............H..h..W.......<....h............H..h\FRO ...1\Ap...h.r..0...`.W....hq..............h........_`Ck...h=...@...I.tw...h....H...8.Hk...0....T...............d.........2h...............k..............!h.............. h.......x.W...#h....8.........$h........8....."h..............'h..c...........1hq...<.........0h....4....Hk../h....h.....HkH..h....p.....W...-h .........W...+h..........W................. ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (65536), with no line terminators
Category:dropped
Size (bytes):322260
Entropy (8bit):4.000299760592446
Encrypted:false
SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
MD5:CC90D669144261B198DEAD45AA266572
SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:false
Reputation:moderate, very likely benign file
Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):10
Entropy (8bit):2.321928094887362
Encrypted:false
SSDEEP:3:LL0UU:W
MD5:BB6F5998B789468350F4137C2615CC29
SHA1:9026D27AE2450FF96B7D2CC147444601F39C2C14
SHA-256:C54D742A2C6EB9F0A5D518B51640488C50006EAD1D0ED811974A381C4A6B6C7B
SHA-512:C970619AD6F5E528A970FEB94FF261FEC214C1AEDE26BF85D1793271AB9751BA24DFFCD995963987CE80A5E8EE23E4B5791FD685B26FF96E7B874C9417DB935F
Malicious:false
Reputation:low
Preview:1716554811

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\270546B2-8E19-4B18-A534-BF27B1244690

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):167135
Entropy (8bit):5.340510996718595
Encrypted:false
SSDEEP:1536:Z+C7FPgOsB3U9guwwJQ9DQA+zqzhQok4F77nXmvYd8XRPEwreOR6Y:AIQ9DQA+zqzYXuMT
MD5:E6DF937E6F65D563FDC3796E419F19DE
SHA1:0992F5C3B726B1D45A99B2203384E0940DF885AB
SHA-256:4306EAD3B765F2F16E2BE5EEE29212CF8CA1CE8407C1584ECCE108F7FD10635F
SHA-512:FB5982FF4EBBA9087A653A521A9681698D473AF77D42F1A350A4EFB8FA8E1D79E77E107EEA4AE147AC2C011AA1F3E11D2A1FB7A4D5DBD29CA7FF39298B00943C
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-05-24T12:46:50">.. Build: 16.0.17707.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:dropped
Size (bytes):4096
Entropy (8bit):0.09304735440217722
Encrypted:false
SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
MD5:D0DE7DB24F7B0C0FE636B34E253F1562
SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
Malicious:false
Reputation:moderate, very likely benign file
Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Rollback Journal
Category:dropped
Size (bytes):4616
Entropy (8bit):0.1384465837476566
Encrypted:false
SSDEEP:3:7FEG2l+4DmEH/FllkpMRgSWbNFl/sl+ltlslN04l9XllK+n:7+/lHDzg9bNFlEs1E39C+
MD5:77133C075E564CC57B7A0E5725969AEF
SHA1:F694401917F7FEC969953B2983DAD34B8232E094
SHA-256:977AA8119E3BFE33B1FBE1A3A3E21B2EF5FDD634836D203D515D1351F022BDB1
SHA-512:6ABA1876D61405DBB7104BCB00944C471FBB64064E388ED42C47D0CE0A327C2904B4FE76FF5E1F34CC7E54960A6D5C2056D5253321298E0DD90D23A356E58519
Malicious:false
Reputation:low
Preview:.... .c......bF.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.043301446310783746
Encrypted:false
SSDEEP:3:G4l2auwmBw4Al2auwmBo1WlL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2auwmBBAl2auwmBBL9XXPH4l942U
MD5:794C0A3B448C5F051F5413212A8405CF
SHA1:07DDDD5A739EB2FC63E55F9E5A17C90740BAE7DE
SHA-256:370B68E63E3B2663C0D997C5FDC6C2119F7DD7CD55886ABE14FA8F1FE0D98D41
SHA-512:8BDDF4096B8D52FCDBEC73317A66EB7A04C43F28E0417D7833BF6EDC21243E693BDFF996D29F01E8BACB566219EBFE356CF1325E19E7D1BCF99D4FA0DE99CE53
Malicious:false
Reputation:low
Preview:..-......................@}....5V"../-.B.......-......................@}....5V"../-.B.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Write-Ahead Log, version 3007000
Category:modified
Size (bytes):45352
Entropy (8bit):0.3955599500992121
Encrypted:false
SSDEEP:24:KyfFNqoQMIzRDiKcill7DBtDi4kZERDiLmTxqt8VtbDBtDi4kZERDiw:ffFNrQjeKcill7DYMeLmTxO8VFDYMew
MD5:C0A4EC4E44B09F0F97D74B630D90FD38
SHA1:5F04B35952486ABA2050D7551C4A1B6983C4D068
SHA-256:20DEC2AC91BCC6B78C2C6F1FFB1A3F83119A09D9AA04E02DEFC132B9D0F296FC
SHA-512:D819995E034A16D4492EF37FFDDED74BD0E346269818C5E7DE54ADEB50D9674C357F36EC5EFDD09A67C8CDE0270A6DF3B53530E4045C096F7646115E9110F5C9
Malicious:false
Reputation:low
Preview:7....-...........5V"../-.=8..T...........5V"../-.KG'..pDSQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{8B5C93CF-703A-4D7A-9AFD-7BC9F7764403}.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):36212
Entropy (8bit):4.309691202352532
Encrypted:false
SSDEEP:768:anL+PPPPPPPznRLKLlLUTKLAScLzLH0000000EtepjTMa:ZPPPPPPPzlEi0000000Eq
MD5:C3670E2FDC28CF9F994ABDFACB4E3361
SHA1:9C381FBE7E53E7EEF94D8A800C5EBC87566AFD8B
SHA-256:143279A32A97FD5CC405CC6B48720057243505197FA0A363CDEF2A69EA401341
SHA-512:D4C43E6D8F890E19F8735825D678EB16B3265FD07681E79EA13488012CE4A779A7AD66833C111E31EB2391EB53DF84472601A55959863095C86D414F4E02C075
Malicious:false
Reputation:low
Preview:....S.e.e. .w.h.a.t.'.s. .w.a.i.t.i.n.g. .f.o.r. .y.o.u.!. .. O. .. O. .. O. .. O. .. O. .. O. .. O. .. O. .. O. .. O. .. O. .. O. .. O. .. O. .. O. ...Z.j.Q.c.m.Q.R.Y.F.p.f.p.t.B.a.n.n.e.r.S.t.a.r.t...T.h.i.s. .M.e.s.s.a.g.e. .I.s. .F.r.o.m. .a.n. .E.x.t.e.r.n.a.l. .S.e.n.d.e.r. .....T.h.i.s. .m.e.s.s.a.g.e. .c.a.m.e. .f.r.o.m. .o.u.t.s.i.d.e. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... ........................................................................................................................................................................................................-...-...-.............................................................................................................................................................................................................................................................................$.a$.....$..$.If....:V.......t.....6......4........4........a....*...$..$.If........!v..h.#v....:V.......t.....6......5.......4........4.

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1716554808508489600_D3A2DE1A-2A3B-4A6C-B02A-F0EB000FD60A.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (28725), with CRLF line terminators
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.15939848550213367
Encrypted:false
SSDEEP:1536:L35PZgunFvTGmdVtz6cZjHhfWp0e2mfVGsZORScdCsONPeS7LGL1hPUjkv9qnqeu:HgIlvdVNfom
MD5:C80309F187922D07D9044DE5E3BA332B
SHA1:5A4978766A75DEE4052BFEFB64B39CD42ECE5EAD
SHA-256:DDA70B115B69C3BAC605B5C22D6EF5BA9E5542D9E1D61384FF8877E896DBB13C
SHA-512:535FB91D94F94E4C245280706FAE8C38CF1041A0A72F6649B05BBEA0D7F42DBB65398209812F1F32E063E280922FC7442EFC7DC9EFBC3BF0DC789A732F6F0871
Malicious:false
Reputation:low
Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..05/24/2024 12:46:48.556.OUTLOOK (0x1F68).0x1F6C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-05-24T12:46:48.556Z","Contract":"Office.System.Activity","Activity.CV":"Gt6i0zsqbEqwKvDrAA/WCg.4.9","Activity.Duration":10,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...05/24/2024 12:46:48.572.OUTLOOK (0x1F68).0x1F6C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-05-24T12:46:48.572Z","Contract":"Office.System.Activity","Activity.CV":"Gt6i0zsqbEqwKvDrAA/WCg.4.10","Activity.Duration":10219,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1716554808509171600_D3A2DE1A-2A3B-4A6C-B02A-F0EB000FD60A.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240524T0846480275-8040.etl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):106496
Entropy (8bit):4.482785257866349
Encrypted:false
SSDEEP:1536:h1d4hJ2HndxVUNbPLqZ4wpraVa92AOd9XeNW:h1d4hyYAOTX8W
MD5:325F7C6133387F6612460FAB7C24FB16
SHA1:9329FF8AE4869F3B8916C92573AA0019B4B9C8E6
SHA-256:73C8A2735E148F1141B00CA7D3DD9910AE56B3E5E884EA40613D2BD26C9616EB
SHA-512:1CA58B934F78161C1879FEA4B8EA54FF841C128D551551AF0AE94EB9FF08410341AC070BD77BF5E28CEF99A8BBF3EB645DC93B0927F065B0B7471B2A2FA50D88
Malicious:false
Preview:............................................................................h...l...h....n.q...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................r..T............n.q...........v.2._.O.U.T.L.O.O.K.:.1.f.6.8.:.e.8.8.e.c.f.a.3.2.b.c.a.4.1.f.8.b.f.5.7.1.9.7.2.c.a.c.7.d.b.d.8...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.5.2.4.T.0.8.4.6.4.8.0.2.7.5.-.8.0.4.0...e.t.l.......P.P.l...h...D..q...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:3:DKl7l/t:Wh
MD5:D038EF42412205F74F45CAB91853C6C4
SHA1:0308B934C24D141EEBB31CDEF3F2A8AA1A7CEB7B
SHA-256:744C87B7051DF4A32E0AD5EF85CE6410863B1AF855328684BCDBA22554AF38A0
SHA-512:878AAD4421E74AC1120365602BE39013E1F317A96B459DAECDB96264180AD26EE0F8229EB6401651924C8A22A6733E56BC9DDB0C8AF19039ED8BB23725764C16
Malicious:false
Preview:....4/........................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):16384
Entropy (8bit):0.668057907790903
Encrypted:false
SSDEEP:12:rl3baFasqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCTzBFkm:rhmnq1Py961BFkm
MD5:21AA9397B7BC6AD266C05FDE20B5A4B9
SHA1:777F944BB3C9D9C9203B312866F51C40FC8F1A56
SHA-256:B8A17A2993FA40197645C706BE940F5E6F117A4020B2AA04D19AC131D273704B
SHA-512:074EDCDD2B25AC5E1060FA3AF7594E0871F489BBD66DDF6E2C8E4B217C7189F223FEA460008AF3E7C802AB26ABCDE66C67442E5BBFC3A3B557224831C906FAA1
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):3.652132258436285
Encrypted:false
SSDEEP:1536:hKL+47lURQCsZTtgPFkXzQrsBsyFSpLn1kju9J5UgREP8pRNW53jEpEHP4qQ10Pa:h/2o6jQUzrQp9Idp9
MD5:5297363A40435BCFECB4B5EBED58637B
SHA1:D910E27291D9C738B04F0DEAC62716AD5F415CA0
SHA-256:88C67E77B0917569F9292456E38B5FDFAA301D44E65983093511FA68EFC2FA96
SHA-512:059649906308060E08E775615E6A90E9C924AC82178A47A31F1992CB1D64A97A44AE5E3E34A2D264DD880E75050273DBDDB40B830B857423AC16BC0D7B66A043
Malicious:false
Preview:!BDN.C..SM......\...0-..........K.......a................@...........@...@...................................@...........................................................................$.......D......................G...............J...........................................................................................................................................................................................................................................................................................,.........=O........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):131072
Entropy (8bit):2.7366940128301906
Encrypted:false
SSDEEP:1536:oW53jEpEHP4qQ10PAwr1p/3DEW53jEpEHP4qQ10PAwrtLfYRJF:qp9WGp9B
MD5:DCE44D50A7E54ADD8431609744FD2877
SHA1:2ECFF73D3B7FE7EC4E907BEDA034C2992DFE866B
SHA-256:4B8BAE79003664B9493584D11F10970E05CBE8B35E319588C7A62DB8594E73A9
SHA-512:EDC240200EE26FD1B01AF25396E34445B6CBAE3034F0A0E95DBE7E3DCEB6F53ECA36BCCAA7CC525BDBF703D43301DFEC1426AB8D84A2F5A5448B4D1C93DC6712
Malicious:false
Preview:..i.0...q.......h....`.p........D............#........................?.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Y.@.D.........0...r.......h....`.p........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:RFC 822 mail, ASCII text, with CRLF line terminators
Entropy (8bit):6.014825026583012
TrID:
  • E-Mail message (Var. 5) (54515/1) 100.00%
File name:d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.eml
File size:40'740 bytes
MD5:1eee03408eac2c90eba1a9211dc31e23
SHA1:a63865b55853af03cd305b8677e0c047a07d5dc0
SHA256:1f648be074b3aaa43098dad2cc01d2805038ac3b5368779c83febcc768f85916
SHA512:197860b4e8e9d611d891037bd52daa9d75499bb0696ed77e27dfc30c6b00b6a7bc85dc06a6e610bbc7d4c1b1a715de854578cc6ed47ce3d1e8cbc520ff8e6785
SSDEEP:768:0mDx+FDq14MTZsKErlNWbvjrC6DKxXSQDAvTvxSnCperpVneRjX/+G3mbSNevGPB:02YDv7VeXkBS
TLSH:3503DA4B70C202C310BD8D59E9126A7A7F226D7D437184B9FC1D517B8E6EC2B39832E5
File Content Preview:Received: from SA3PR15MB5728.namprd15.prod.outlook.com (2603:10b6:806:319::9).. by SA3PR15MB5950.namprd15.prod.outlook.com with HTTPS; Fri, 24 May 2024.. 00:48:52 +0000..Received: from SA0PR11CA0153.namprd11.prod.outlook.com (2603:10b6:806:1bb::8).. by SA

Static Mail

General

Subject:Don't Let Summer Fly By Without A Visit to Cedar Point
From:Cedar Point <cedarpoint@wk.cedarfair.info>
To:ccasali@cedarpoint.com
Cc:
BCC:
Date:Fri, 24 May 2024 00:48:47 +0000
Communications:
    Attachments:

      Headers

      Key Value
      Receivedfrom ODk1OTg0 (unknown) by geopod-ismtpd-18 (SG) with HTTP id Nn-jKOZCQPW05zi4hV5Orw Fri, 24 May 2024 00:48:47.173 +0000 (UTC)
      Authentication-Resultsspf=fail (sender IP is 148.163.138.99) smtp.mailfrom=wknd.wk.cedarfair.info; dkim=fail (body hash did not verify) header.d=wk.cedarfair.info;dmarc=fail action=oreject header.from=wk.cedarfair.info;compauth=none reason=451
      Received-SPFFail (protection.outlook.com: domain of wknd.wk.cedarfair.info does not designate 148.163.138.99 as permitted sender) receiver=protection.outlook.com; client-ip=148.163.138.99; helo=mx0b-003fb001.pphosted.com;
      Authentication-Results-Originalppops.net; spf=pass smtp.mailfrom=bounces+895984-eca8-ccasali=cedarpoint.com@wknd.wk.cedarfair.info; dkim=pass header.s=wk header.d=wk.cedarfair.info; dmarc=pass header.from=wk.cedarfair.info
      DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=wk.cedarfair.info; h=content-transfer-encoding:content-type:from:mime-version:subject: reply-to:to:cc:content-type:from:subject:to; s=wk; bh=k3h2ii6Yiw+RaH9oqMBPg4ss6BG2/De49d9SRWcCHdE=; b=SADujRtmyE4AQSomdLeRFQ21oEdnVGd0YeCVyMiPz//7JKJLQzxSikzHLxjL1q2kaUMX AQ1FvszG9ASS9H30vYdTmp9C56Q6AZivo44KQmlSXPe3lU5TPuzgdYvLhMPZ//FMHIeBlM 68QeViTjFiE1z/HB1Xafjhx+t7iW2kVd171SzogoJ+5PdFurYTI5FhjLNR8BYYb32eajiF iG6EKmEE8JuL+5WzVmAoDC2+p+xvE/W8rQP6M5ax59d/DllDbB+wVHwQwnaRqkh47yw/5K Psx1GHimvmRut4WcVMsikZs95xqXUh+ENZFiiOfmbEK8WhAJpXYSFhIwy3H4HpIw==
      DateFri, 24 May 2024 00:48:47 +0000
      FromCedar Point <cedarpoint@wk.cedarfair.info>
      Message-ID<Nn-jKOZCQPW05zi4hV5Orw@geopod-ismtpd-18>
      SubjectDon't Let Summer Fly By Without A Visit to Cedar Point
      Reply-Tocedarpoint@parks.cedarfair.info
      X-SG-EID u001.fHpS1dWeeUuCDhTor7g1U4v37pd6LfFajpVvx+FblxaRei+B7gfQkJxwk4I0hKQmd0lT2fY1B+xi7rEaqTMMNRo57KBxKQPXkfOSuHmvVCxADeewwx5mkIccfH5CczZdaGHRHkjc8Yow7nc6SjcV++0CHTEz5dTvtCu7fVS084kMwOQAbvMZ1aTBfMJMDThno9FbypTLXvN0hAxnQ/bp7S/lyt+IlGo47tJuFLfRNtNHGYMMDSFBc5f9t2ZOQFsXJpXD8jZkHDun+dpUC7k7Fg==
      X-SG-ID u001.SdBcvi+Evd/bQef8eZF3BpTL9BgbK5wfSJMJGMsmprCfzdk8Q6weRGnugVdQiDX/kyf0+IwINCNM6Ev2CUH9OCFXeJRMk7oIkecVi2tQT3BHHot+y1OY4WZGtD/3G93HuS2coFUSJy9T73BTlEIzHtUfyi+jgvuj7QWHjsCGhfOvbR6CKMxwLo2WHBE9OUcI
      Toccasali@cedarpoint.com
      X-Entity-IDu001.d2GtsxuQ2P+i6tj9dAmeEA==
      X-Proofpoint-ORIG-GUIDS8VrgE9e5lbMpkLyNknJ9E9iiUkX9mBw
      X-CLX-Response1TFkXExIRCkx6FxoRCllEF2VARRJ7SRx+S0kSEQpYWBdkXFkSclhNb2RZRBE KeE4Xbl4BZ21wcBMYG3ARCnhLF2RcWRJyWE1vZFlEEQp5TBdvAUNaYEtoQ2V9ZhEKQ0gXBxkTGR EKQ1kXBxgdGhEKQ14XBxIRCl5EFxsYEhEKQ0kXGgQaGhoRCllNF2dmchEKWUkXGnEaEBp3Bh0Sc R8QGncGGBoGGhEKWV4XbGx5EQpJRhdJT05LWExLQ1h1QkVZXk9OEQpJRxd4T00RCkNOF3kSfFhN bxNPH0ZIZ1pBZlNkQURgE28TQ0N/QXITR2hdEQpYXBcfBBoEGRwdBRsaBBsbGgQbGR4EGR8QGx4 aHxoRCl5ZF05Cc0NmEQpNXBcZHh4RCkxaF3htUm9rEQpFWRdoa2sRCkxfF3oFBQUFBQUFBQUdEQ pMRhdve2tja2sRCkJPF2NHXRx+aG9SUn1GEQpDWhcbHB0EEhMEGBMEGhEKQl4XGxEKQlwXGxEKQ ksXenxyb2l6UBwBYRoRCkJJF2R5SEAccEx/bGVzEQpCRRdkaX5eQlltb398fxEKQk4XZHlIQBxw TH9sZXMRCkJMF29BQlxjXkIZaVlQEQpCbBduelp4SUBPYlNjUxEKQkAXbB9MSUkFQHsebHoRCkJ YF2J/En1YWmRkGxtlEQpaWBccEQp5QxdhG0xYQHlNW3BTSREKWUsXEhgTGhEKWksXEhgTGhEKcG cXZGxYY2diaAV/c0QQGhEKcGgXa3pNY3JcSEx+bWUQGhEKcGgXYmxBb2FjGl9JGH0QGhEKcGgXY nNSSFpmQXhGRGEQGxsfEQpwaBdiGk5bHW1dYmhmWRAZGhEKcGgXZGZyYl1DBU9GQnoQGhEKcGgX ZBpgRHl/UnAZaEcQGhEKcGgXZhMaS0QeXEhif2wQGhEKcGgXbmBebmRTY214bVoQGhEKcH0XbXN MQm5pbkh4THwQGhEKcH0XYVxYS0VSX30YU18QGhEKcH0XelJIE2JyZUZwQ3wQGhEKcH0XYElNWk VuXUhbX0YQGhEKcH0XZ00SHk5ZYx9lWx8QGhEKcH0XZEFyQnN8e0h8QlAQGhEKcH0XbhJEZG9vX RlLUGwQGhEKcH0XZWFpckVdTHJOXlgQGhEKcH0Xb156AUJoeFMcbkQQGhEKcH8XYxtFX2QbbFod UE4QGxkeEQpwXxdraHhlbFtEYlpaehAbHhoRCnB/F2dvRRtNZGYfTkhJEBseGBEKcF8XYE5NTRN 4c15rRkcQGx4fEQpwXxdpT2MBWHBlYUhDUxAbGhgRCnB/F21DZWQYZkhNYX8aEBIEHxEKcF8XYk hOTXlpQkxZbnoQGxoSEQpwXxdiYk5wRxxcRG5rGRAbGxwRCnBfF3pnZ0dhax1baU5hEBsZGREKc GwXawV8QE1cWxlOYR0QGhEKbX4XGhEKWE0XSxEg
      X-CLX-ShadesMLX
      X-Proofpoint-GUIDS8VrgE9e5lbMpkLyNknJ9E9iiUkX9mBw
      X-Proofpoint-Banner-Triggerinbound
      Content-Typetext/html; charset="utf-8"
      Content-Transfer-Encodingquoted-printable
      X-Proofpoint-Virus-Versionvendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-23_14,2024-05-23_01,2024-05-17_01
      X-Proofpoint-DMARCpass
      X-Proofpoint-Spam-Detailsrule=inbound_notspam policy=inbound score=0 clxscore=98 priorityscore=0 impostorscore=0 spamscore=0 lowpriorityscore=34 adultscore=0 bulkscore=34 phishscore=0 suspectscore=0 mlxscore=0 malwarescore=0 mlxlogscore=899 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405170001 definitions=main-2405240003 domainage_hfrom=8290 domainage_replyto=8290
      Return-Pathbounces+895984-eca8-ccasali=cedarpoint.com@wknd.wk.cedarfair.info
      X-MS-Exchange-Organization-ExpirationStartTime24 May 2024 00:48:49.1845 (UTC)
      X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
      X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
      X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
      X-MS-Exchange-Organization-Network-Message-Id f2667e94-a4c9-4cc0-d72d-08dc7b8b466a
      X-EOPAttributedMessage0
      X-EOPTenantAttributedMessagec75bbe92-62e3-4671-999f-50980114c67f:0
      X-MS-Exchange-Organization-MessageDirectionalityIncoming
      X-MS-PublicTrafficTypeEmail
      X-MS-TrafficTypeDiagnostic SN1PEPF0002529D:EE_|SA3PR15MB5728:EE_|SA3PR15MB5950:EE_
      X-MS-Exchange-Organization-AuthSource SN1PEPF0002529D.namprd05.prod.outlook.com
      X-MS-Exchange-Organization-AuthAsAnonymous
      X-MS-Office365-Filtering-Correlation-Idf2667e94-a4c9-4cc0-d72d-08dc7b8b466a
      X-MS-Exchange-Organization-SCL1
      X-Microsoft-Antispam BCL:0;ARA:13230031|5073199003|82310400017|4123199003|29132699018|69100299006|5063199003;
      X-Forefront-Antispam-Report CIP:148.163.138.99;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mx0b-003fb001.pphosted.com;PTR:mx0b-003fb001.pphosted.com;CAT:NONE;SFS:(13230031)(5073199003)(82310400017)(4123199003)(29132699018)(69100299006)(5063199003);DIR:INB;
      X-MS-Exchange-CrossTenant-OriginalArrivalTime24 May 2024 00:48:49.0439 (UTC)
      X-MS-Exchange-CrossTenant-Network-Message-Idf2667e94-a4c9-4cc0-d72d-08dc7b8b466a
      X-MS-Exchange-CrossTenant-Idc75bbe92-62e3-4671-999f-50980114c67f
      X-MS-Exchange-CrossTenant-AuthSource SN1PEPF0002529D.namprd05.prod.outlook.com
      X-MS-Exchange-CrossTenant-AuthAsAnonymous
      X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
      X-MS-Exchange-Transport-CrossTenantHeadersStampedSA3PR15MB5728
      X-MS-Exchange-Transport-EndToEndLatency00:00:03.5773873
      X-MS-Exchange-Processed-By-BccFoldering15.20.7587.028
      X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
      X-Microsoft-Antispam-Message-Info x5nK76QLabfYiUFw8mHS+tOEiKplo0Ik8HgmxWr41TSbOrgOR7Mn6FG29KA8FTxdww9c1VIgVh06W8ECWfD30Bm96cXNdCOOX/6VVEi7vwMMFVuhY9/58h9RroeoS7FMx7QmrILDU7QL+E39g7t3qbEO8nLgPJQxmc3pka/AFxvcs6nBMmQ2kGPG/ztz9GuiI6FoMMs4Qu99aKfdOWOoyw86NncoVBU3aOlPY1xlCcy+qVfTBzsK9JD6kQmxTMK9TxGENS4AjGYq2GJJPhQAR8/moIIiNz45sDD/zti/avlqfpves98YhRlcr3CyKNn3zUlVSeYi18y6p/akivvydk530h11XUfjw3kETBUjVNGUEiQnBOfwjeLku36KIMiZsB2hvATiFKLUhTa8b8dHjSY0op4JyK8Bg7QtFb5eEqfYFBl95kVHDQ4OABB06AyMYGVdQ8see3SDz9pIfWjM/wx1mEDjL+CLk2G27/sYpwI/KIXRPyty6xPWodE7y6PFsjveprxPr902wTqWczWhoiayYgX2TiUFLamig3zAZKh/7sl4kma/YolrAGWiD5oSEycsKFQ0zcm+BckgLWEcu0I1DxmuSNMndvXzqAUnWDtKvMWnTYHCo2XlgzosA7bcs/d2YIyEEbbf4L5QNX7orhVnTMmpN/guh0Xi3V6V2+VkTbz5TBuwQ/Q2cqUVbTh6CFHLXvBInmHv/Mffgmx2zsDOCqlF0t6l5aEkptNKQhKqHPFd7f5g7f8LWhii4gse9URBeuwf1EV3yvh58D8GrjZSWtSP5CvEr2zphIbsAmCiLwsCOL0Lsu0qzH9H6TzMyUHlVpfov6yJzZSNI7lN2l1JE53D1DL6sL98qPzKQR3unSiX6xeslOA78Z0S3o6WoN021/hGYuvJqEJ5VWwxTibN3j35T4EybBZ8vwDNu8419rOmkS76SSkpoJkFMfUQuywm9rwMWqPC6KOzObxLAVXCRhRkMAj+c+bG/bAOjV7/Kz+F4vlCK5xII/zJ/EuPykFGJ0Zwvr9rWJD+rx2V0e8sZMIQI7/OeNFk8Tk+GfcWUOPfsa2NIDgXjMIxoaZZcoC06OVBpiqW+mMmNVKUUPqpckZF+XcTqKtnayEBRxdYjE1lwud6IyoXcNuJzV9/JPGjCAWeoeebZTd4JuBywIWrqASYBqtMAgzcg7M41zg9o192t8hJ7SgZoWzygWoBSZVa7PNeQl+oTnRqj1yIBRhAQESDTrxHBbEh5869YVlJsRwarv5CgXtBzW1VL5mupn0KnuC4exURzT+QSa6Z5QTvadT0lesFiQ1eIuiBNNkMXaIEroZlocL5bH8I0t6dU58FzHME4Ry7JwQRd100DjbDVyKQ1Ad2rayWDgWxjkCNb/wMqJs32pfBJovX3yXjT8KUkeKkIpwkwkJoXpW0dKynOs7oGAl/XPS0j+yYMOtrdJ9e63clkT5gUJSfAdg8x+soFfJocihg4uGL8v69gS/xNULOFfkLcnLBdc0j+cBFuKSEVg+kM3oGz/WCPkp7fsTWqoI0TQS17rAWDCZrLUjBniBYSWup2/12pm3olUq61h7QnAFMQJIjniy7/8yhz1PZJI0xshRxKFN1aLB5LfZ446k0Uy+ssEBi6Gw/J+NSVRymBMsylFbn/yVxWPLgREeLnL/3UqlBA+Na7i80yLPn9qetfBwZ4pTltXfF0OY=
      MIME-Version1.0

      File Icon

      Icon Hash:46070c0a8e0c67d6

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:08:46:48
      Start date:24/05/2024
      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\d71f6b59-eef2-4c6c-ae90-74c1ba84e8ac.eml"
      Imagebase:0x100000
      File size:34'446'744 bytes
      MD5 hash:91A5292942864110ED734005B7E005C0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:false

      General

      Target ID:2
      Start time:08:46:49
      Start date:24/05/2024
      Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
      Wow64 process (32bit):false
      Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6D70339C-63CB-461D-902F-793D673994D0" "89293EB4-1B23-455F-8075-078CBF49BC6C" "8040" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
      Imagebase:0x7ff7b6410000
      File size:710'048 bytes
      MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:false

      Disassembly

      No disassembly