Edit tour

Windows Analysis Report
nested-Bill Status Request - Ref ID%3A A006296591; 2145680.eml

Overview

General Information

Sample name:	nested-Bill Status Request - Ref ID%3A A006296591; 2145680.eml
Analysis ID:	1465767
MD5:	be964f189968923ba4897b8b07f553f9
SHA1:	042fa48d9ea2d35a2efc8450e83ff9e4ddfa952c
SHA256:	e1b0335ca63a9924ab1c4a0a03f4d41c9a67a133c5bb66eede6a92cf7ca353c6
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected suspicious e-Mail

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 7432 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Bill Status Request - Ref ID%3A A006296591; 2145680.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7568 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "56083541-0B70-455E-9F4C-7A9181C89EBC" "D75D793C-0C79-4EC6-8D07-C86AB217D8E4" "7432" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7432, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.aadrm.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.cortana.ai
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.office.net
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.onedrive.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://api.scheduler.
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://app.powerbi.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://augloop.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://cdn.entity.
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://clients.config.office.net
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://cortana.ai
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://cortana.ai/api
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://cr.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://d.docs.live.net
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://directory.services.
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ecs.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://graph.windows.net
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://graph.windows.net/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://invites.office.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://login.windows.local
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://management.azure.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://management.azure.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://messaging.office.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://officeapps.live.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://onedrive.live.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://outlook.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://outlook.office.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://outlook.office365.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://service.powerapps.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://settings.outlook.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://substrate.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://tasks.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winEML@3/10@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240701T2001580936-7432.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Bill Status Request - Ref ID%3A A006296591; 2145680.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "56083541-0B70-455E-9F4C-7A9181C89EBC" "D75D793C-0C79-4EC6-8D07-C86AB217D8E4" "7432" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "56083541-0B70-455E-9F4C-7A9181C89EBC" "D75D793C-0C79-4EC6-8D07-C86AB217D8E4" "7432" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected suspicious e-Mail

Source: e-Mail

LLM: Score: 9 Reasons: The email impersonates Microsoft, a well-known brand, by using their logo and mentioning 'Microsoft account team'. The sender's email address (no-reply@microsoft.com) appears legitimate at first glance, but the email header shows a different domain (microsoftsupport.com), which is a common spoofing technique. The subject line 'Microsoft account unusual sign-in activity' creates a sense of urgency, a typical phishing characteristic. The email body contains a hyperlink 'Review recent activity' that leads to a suspicious URL (http://microsoftsupport.com/review-activity), which is not an official Microsoft domain. These elements strongly indicate that this is a phishing email.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://api.microsoftstream.com/api/	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://otelrules.svc.static.microsoft	0%	URL Reputation	safe
https://otelrules.svc.static.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://outlook.office.com/autosuggest/api/v1/init?cvid=	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://login.microsoftonline.com/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/connectors	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	Avira URL Cloud: safe	unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://globaldisco.crm.dynamics.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://safelinks.protection.outlook.com/api/GetPolicy	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://templatesmetadata.office.net/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.office.net	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnostics.office.com	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com/search/api/v2/init	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	URL Reputation: safe	unknown
https://storage.live.com/clientlogs/uploadlocation	A7C3B662-BD03-473A-AE47-07921E69E758.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465767
Start date and time:	2024-07-02 02:00:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nested-Bill Status Request - Ref ID%3A A006296591; 2145680.eml
Detection:	SUS
Classification:	sus21.winEML@3/10@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 20.189.173.12
Excluded domains from analysis (whitelisted): ecs.office.com, onedscolprdwus11.westus.cloudapp.azure.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, dns.msftncsi.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Input	Output
URL: e-Mail Model: gpt-4o	```json{ "riskscore": 9, "brand_impersonated": "Microsoft", "reasons": "The email impersonates Microsoft, a well-known brand, by using their logo and mentioning 'Microsoft account team'. The sender's email address (no-reply@microsoft.com) appears legitimate at first glance, but the email header shows a different domain (microsoftsupport.com), which is a common spoofing technique. The subject line 'Microsoft account unusual sign-in activity' creates a sense of urgency, a typical phishing characteristic. The email body contains a hyperlink 'Review recent activity' that leads to a suspicious URL (http://microsoftsupport.com/review-activity), which is not an official Microsoft domain. These elements strongly indicate that this is a phishing email."}

URL: e-Mail Model: gpt-4o

```json{  "riskscore": 9,  "brand_impersonated": "Microsoft",  "reasons": "The email impersonates Microsoft, a well-known brand, by using their logo and mentioning 'Microsoft account team'. The sender's email address (no-reply@microsoft.com) appears legitimate at first glance, but the email header shows a different domain (microsoftsupport.com), which is a common spoofing technique. The subject line 'Microsoft account unusual sign-in activity' creates a sense of urgency, a typical phishing characteristic. The email body contains a hyperlink 'Review recent activity' that leads to a suspicious URL (http://microsoftsupport.com/review-activity), which is not an official Microsoft domain. These elements strongly indicate that this is a phishing email."}

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.385532455217064
Encrypted:	false
SSDEEP:	1536:L2YLrkgsLRpyYRVL1gszJNcAz79ysQqt2lyLdqoQ7wrcm0FvooiyWOofvSGGyvXd:x4gHSHgWmiGu2SqoQcrt0FvVsi+TY9bO
MD5:	2638A0DB071EF78C3AFA3CDD522C21AB
SHA1:	BB5251DDB0ACE92EA1A80C7530904B186E22E9D0
SHA-256:	115F138AEFD35E3B8F55F97EBF63372E40289A1848704EA5A8BCE6259DB897B5
SHA-512:	9A8A59A83E139A15BAAA92298B85A9C2A4D69EC20BED655280347CAAEC2ED9FB39EB61F76BC665E3380242E9338E57A46BCBF441CEB58A3632A1305248AC402F
Malicious:	false
Reputation:	low
Preview:	TH02...... .@.U.........SM01X...,...p{D.............IPM.Activity...........h...............h............H..h$.O......Z0F...h........hq..H..h\jon ...ppDa...h@..0.....O....h.XR-...........h........_`.j...h.YR-@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. h.!O%......O...#h....8.........$hhq......8....."h0q...... r....'h..............1h.XR-<.........0h....4.....j../h....h......jH..hHV..p...$.O...-h ........O...+h._R-......O......... ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A7C3B662-BD03-473A-AE47-07921E69E758

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	174490
Entropy (8bit):	5.289592977260324
Encrypted:	false
SSDEEP:	1536:Wi2JfRAqcbH41gwEOLe7HWaM/o//MRcAZl1p5ihs7EXXmEAD2OdaB:Tce7HWaM/o/7XDk2
MD5:	4D2BC357EC8128E7B4CA29C17CC121F0
SHA1:	F9D8537866522ECF65C6D389A05493A39FECAB96
SHA-256:	873B75CAC9D89D25A082ABEABD50B5265D248EDA066CD7DB3B8F44505ABF8E64
SHA-512:	A68B32E19EEBEF90EC3AA1A1D90EE90CA3F11D1184E887FF85D0CFE88BFFE22B9EF47D38E14CA63BAB350299D4A70E9DF0648DE15984BA15005ED3060134F3AB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-07-02T00:02:01">.. Build: 16.0.17812.40128-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04568135146424745
Encrypted:	false
SSDEEP:	3:Gtlxtjl/5Ksyw8ClIPlxtjl/5Ksyw8C/lt1R9//8l1lvlll1lllwlvlllglbelDX:GtRKsIClYRKsIC/lF9X01PH4l942wU
MD5:	2B89AA685A8BB032C9CC2FD84DA85570
SHA1:	AAE26B4C204BEB124F4F7C21FDF96BE4EE38ED05
SHA-256:	F739089CDA88A0D0BC7A934C7AB0AE06CEFCCB45ABA886D933013471B323B6EE
SHA-512:	05CBFA07F5224B6895C5DA037CCB4F6D32118E2458732C2A4BB787868B776C50CE2CDC53665DA3C35DA3821B01A32B047D648DADC930AAFC9D54BAD33ADF620B
Malicious:	false
Reputation:	low
Preview:	..-..........................-.ts.)V.N.k.cv..g..-..........................-.ts.)V.N.k.cv..g........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.4809448181559886
Encrypted:	false
SSDEEP:	48:0PEQ1uk/5Ull7DYMQzO8VFDYM+BO8VFDYML:039ull4DjVGvjVGC
MD5:	AB54D87A93911A60BE012E478564F730
SHA1:	E0E56BAC0927B10ED96632416F89979B296B9284
SHA-256:	51D32743DC146F0EE499F13DABFD79502348B3B822A7D2F8DC4B384AEB942A1B
SHA-512:	481136C5E5D9CADCAE1C464F739FB27D29A427389DB1EA6E8C06CA32FFD2478E9054A30AB03EC661A1148886FACB66743DB3C2286CAF86AEB2AD86E517A338CC
Malicious:	false
Reputation:	low
Preview:	7....-..........ts.)V.N..uv...c.........ts.)V.N.KR.a...@SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1719878519187564800_7D00C65E-F213-4F6C-8D55-2A32E12BF56D.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28772), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.15871935144418994
Encrypted:	false
SSDEEP:	3072:tIkEAEdE+BW5bZJRgyVK1Cj31IqqRJWN3zclb:EAEfN
MD5:	D9BAF981187DF95EFEBAC12DA3CCDCCC
SHA1:	3D1E8AF94C0D8308DD3A0E5BB39FC633BA71CD10
SHA-256:	F405A51416109BB4DE472E7C7D9791533A664B10B9365E578C3FA5E9EFEA49B5
SHA-512:	60FDD15DAA5764DF4E366BA7C1DAEA772DD7AA0CEB04F49A5BFAD392A78316B0167DD477B3135F6733B0B473D9B2C309A2112B00FE47EAB05355E0A9E4989822
Malicious:	false
Reputation:	low
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..07/02/2024 00:01:59.233.OUTLOOK (0x1D08).0x1D0C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-07-02T00:01:59.233Z","Contract":"Office.System.Activity","Activity.CV":"XsYAfRPybE+NVSoy4Sv1bQ.4.9","Activity.Duration":14,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...07/02/2024 00:01:59.249.OUTLOOK (0x1D08).0x1D0C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-07-02T00:01:59.249Z","Contract":"Office.System.Activity","Activity.CV":"XsYAfRPybE+NVSoy4Sv1bQ.4.10","Activity.Duration":11084,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1719878519188838100_7D00C65E-F213-4F6C-8D55-2A32E12BF56D.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240701T2001580936-7432.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	4.484880543287199
Encrypted:	false
SSDEEP:	768:LBvptWy4N9Nb4z7S41DG97pDadqY9ZXnKAr/Qk8aWoWeWgW8bq:dU41DG97pDadqYvXON
MD5:	E06652D74A95F0921A35DDFD572A8D44
SHA1:	A2978366E93FE9F228B79CB11B6BC7388D4109E2
SHA-256:	8080A273748585C80BCE43AA6EED7B51DAA068ED69533D7258D4DBE1ABB6CD54
SHA-512:	DA1522783850F89662210F7172AE8F1B2F1D1CC0F7E12853E22E2533A319F7B9CA6E245316C45471928BE7B6719EFC8461D5CB25F60E1F6BA984D9032C94E42F
Malicious:	false
Reputation:	low
Preview:	............................................................................b...........kI......................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................P."............kI..............v.2._.O.U.T.L.O.O.K.:.1.d.0.8.:.d.5.d.7.0.8.d.9.3.e.1.2.4.9.7.2.9.f.4.b.1.6.8.0.e.b.e.4.d.4.7.f...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.7.0.1.T.2.0.0.1.5.8.0.9.3.6.-.7.4.3.2...e.t.l.............P.P.........kI......................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:0Nllt:0N
MD5:	B55A08DDA74BE95B5EE977FC0E80D8D4
SHA1:	78F29642E283E010C1DC7BC31D22B152456E4FA6
SHA-256:	3A904D4D98B58A788B1D531A40F67F5D23F703D5950E741A165A9ECCDCFD3A23
SHA-512:	FE0EB4C505223F8AC4BDF097317ECC3DECBE94A162A33C558607EAEC0A303272B53CC69E6DA74324F004623CD3501E78B20CF1C54061F9D4AF778AF8ECFD7C5E
Malicious:	false
Reputation:	low
Preview:	..............................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	2.3290125321454793
Encrypted:	false
SSDEEP:	1536:EBU8lEgorPk8vuILeshBoneCPdXGbuQaK0AW53jEpEHP4qQ10PAwrgHs0nW53jEE:EmAkrvcdXO9p93HBp9
MD5:	7177BADD519FDD31FB349314F374E17C
SHA1:	47D101F1E6D3592466A1FF4490D7886D4F964ECC
SHA-256:	0D9E9F50A7FBE535E881DC46CA3E835EF3ACB1EC0AA6899F2E897DEAC6284A9C
SHA-512:	8A8198AAC6C8EAC4C727D9FFEC2AD0BD5F45C41D7B6E1F96D1AF08B7D10B67F80E5F69F7EEECFC513460879744492608F76B770F7C20C7BEE6F8CCE0CB49C196
Malicious:	false
Reputation:	low
Preview:	!BDN....SM......\..._...................Y................@...........@...@...................................@...........................................................................$.......D...............................0..................................................................................................................................................................................................................................................................................................T.......*....P.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	2.8448688847328616
Encrypted:	false
SSDEEP:	1536:x0wr1y0WVPdXBrPV+W53jEpEHP4qQ10PAwr5SkwUB0/:xydXBrmp9oY
MD5:	FBFABB06C30B52F51AE40FC518C2291F
SHA1:	73458CDE17F4A3937D0E386659222088A8174931
SHA-256:	806ECE077FEF4E0AD14764D76B8F11FCDD2CBE816B3EF0A60E439E4C83DB35A4
SHA-512:	37F06AEA7496D04E90090FF85D06F0AC5C36D5649E0F04817A4BEBE7F3F71EFBF26096F86E573187580397D18AEE49CF8282B6DC823D90957B7C3E222E53C6CF
Malicious:	false
Reputation:	low
Preview:	..hV0...n........................D............#..........................................................................?.............................................................................................................................................................................................................................................................................................................................................................................................................................................@.D.......&.0...o........................B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, ASCII text, with very long lines (347), with CRLF line terminators
Entropy (8bit):	6.0127600570144635
TrID:
File name:	nested-Bill Status Request - Ref ID%3A A006296591; 2145680.eml
File size:	8'981 bytes
MD5:	be964f189968923ba4897b8b07f553f9
SHA1:	042fa48d9ea2d35a2efc8450e83ff9e4ddfa952c
SHA256:	e1b0335ca63a9924ab1c4a0a03f4d41c9a67a133c5bb66eede6a92cf7ca353c6
SHA512:	46413e2a184d596e963b30787d10f9c3b5ea4af2b234fac07eae21a376f42a70954b8c738b2caf816b97e462c81efb2c30baa362ca498a34c855227161d76acf
SSDEEP:	192:qaMyJ7lPQCdo1RlIdqhMq7SfT08a3RGWjOaiyS:NJZIIYR60R7Q0zRiyS
TLSH:	A8026C25ADB60835A8C5F2CD5E01FC0FB2410CCEA2B799C0B1AC62A50BC789D9AD615E
File Content Preview:	Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10on2126.outbound.protection.outlook.com [40.107.94.126])...by mx0b-00109701.pphosted.com (PPS) with ESMTPS id 402bj7h05d-1...(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits

Static Mail

General

Subject:	Bill Status Request - Ref ID: A006296591; 2145680
From:	"billreview@uhsweb.com" <billreview@uhsweb.com>
To:	Support <support@healthesystems.com>
Cc:
BCC:
Date:	Mon, 01 Jul 2024 20:52:51 +0000
Communications:	Hello, We are requesting payment status on behalf of AdventHealth Centra Care (Epic), Tax ID: 593209688, for the following claim: Patient Name: Luz Calzograce Claim Number: 1145033 Date of Injury/Date of Loss: 07/25/2023 Date of Service Range: 08/28/2023 to 08/28/2023 Billed Amount: $14.05 Could you please provide the following information for the claim mentioned above? Is the Appeal one of the following?: Processing -- Denied -- Paid -- Not Received Received Date: Denial Date: Denial Reason: Check Number: Check Date: Check Amount: Payment Address: Adjuster Name, Phone Number & Email: Please attach any denial documentation, EOBs or check copies that can assist with resolution. We appreciate your time. Sincerely, M. P. Johnson Bill Status Review Specialist Unified Health Services Ref ID: A006296591; 2145680
Attachments:

Headers

Key	Value
Received	from UHSAPPA1 (4.32.41.27) by MN1PEPF0000F0DF.mail.protection.outlook.com (10.167.242.37) with Microsoft SMTP Server id 15.20.7741.18 via Frontend Transport; Mon, 1 Jul 2024 20:52:51 +0000
From	"billreview@uhsweb.com" <billreview@uhsweb.com>
To	Support <support@healthesystems.com>
Subject	Bill Status Request - Ref ID: A006296591; 2145680
Thread-Topic	Bill Status Request - Ref ID: A006296591; 2145680
Thread-Index	AQHay/ipwhN6g5m+uUKpoR3Q3lJ6TQ==
X-MS-Exchange-MessageSentRepresentingType	1
Date	Mon, 01 Jul 2024 20:52:51 +0000
Message-ID	<a7c4012b-1f14-494e-a4a7-177a78894736@MN1PEPF0000F0DF.namprd04.prod.outlook.com>
X-MS-Has-Attach
X-MS-TNEF-Correlator
X-MS-Exchange-Organization-RecordReviewCfmType	0
received-spf	Pass (protection.outlook.com: domain of uhsweb.com designates 4.32.41.27 as permitted sender) receiver=protection.outlook.com; client-ip=4.32.41.27; helo=UHSAPPA1; pr=C
x-ms-publictraffictype	Email
x-ms-office365-filtering-correlation-id	d1fa929d-ecb3-404a-895c-08dc9a0fc5ba
x-ms-traffictypediagnostic	MN1PEPF0000F0DF:EE_\|IA1PR14MB5754:EE_
x-eopattributedmessage	0
x-forefront-antispam-report	CIP:4.32.41.27;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:UHSAPPA1;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700013)(1800799024)(376014)(82310400026);DIR:OUT;SFP:1102;
x-originatororg	uhsweb.com
x-clx-response	1TFkXGB4YEQpMehcaEQpZRBdlAX9HXVlNZX1sQBEKWFgXYk1fYm9BWXlOZHg RCnhOF24BeHhQZlJ8cwFpEQp5TBdrHFp+QlkbWE5oWhEKQ0gXBxgSHREKQ1kXBxkTGhEKQ0kXGg QaGhoRCllNF2dmchEKWUkXGnEaEBp3BhgYGHEbHBwQGncGGBoGGhEKWV4XbGx5EQpJRhdCT0tGX kJPWVNZXk9HWXVCRVleT04RCklHF3hPTREKQ04XXV9AW0F1RFN6E09cHWF4ZEkfGlx9S1gSRmFJ WHNCHFwRClhcFx8EGgQZHBwFGxoEGxsaBBsZHgQZHxAbHhofGhEKXlkXTl9mXG8RCk1cFx8dEQp MWhdpa2FNQU0RCkxGF29rY2traxEKQk8XbXJpXm5PTBNSHxwRCkNaFx4aBBsaHQQTHgQbGBwRCk JeFxsRCkJcFxsRCl5OFxsRCkJLF24BeHhQZlJ8cwFpEQpCSRduAXh4UGZSfHMBaREKQkUXYk1fY m9BWXlOZHgRCkJOF24BeHhQZlJ8cwFpEQpCTBdiTV9ib0FZeU5keBEKQmwXYk1fYm9BWXlOZHgR CkJAF2IcS1MaQmlHfH8FEQpCWBdjUmVbXnxbawFAGBEKTV4XGxEKWlgXGxEKeUMXbG8TUhxfaHl IXUERCllLFxMaEh8RCnBoF2RtZkRueGl9T2ViEBoRCnBoF2NcH0NyXEtARUtDEB4SEQpwaBdvZF AbW1hHSFBLHRAaEQpwaBdoXGBTZ0kZeV5JGBAeEhEKcGgXY20dZ0x4WUlIGE4QGhEKcGgXZG4ec G5+GRheGmgQGhEKcEMXaFlaY2t7Q2hDGUgQEx8RCm1+FxsRClhNF0sRIA==
x-clx-shades	MLX
arc-seal	i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DpKXNlqL+MZwem9Sd6Ul3Y5KSo+RQ5USwGRr5P1ZFnuxeY11foCpnBAaj+OwmgcSPZyuJyMANZFL1wfED1m+TMbaNBTwT3XRA/mlLGXSdJv0S2oFtztka97vVv4Bb165J50LjGw0ixomAC1hLgyOFVZdFgcGAxbCj6EzpHZyaT22UF+SFFLjQ/AZS0WqG0/oKftYtti/kF55ed63GlfuODzbHTmNX/+I714/wEgFPDLzZmGx+C3dDTGvSTFavgpkUJWT4IX9xu3NTub6MV3cATkkZthIy0MB9TfnSVTx4dK197fAuLoODmvvAAGDLJCQgIl2XLD6TpbVuliqHMdWMg==
arc-message-signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Wj83RCZYauKm/3m3mrK1WVdGoMDvnw14Sjg3gScxly8=; b=NCLGPK1ZDNZVlhj7zS9mq6jjv1mLUf1FiYb1TLwM8ghJ2Fc+EB8bCYdKxJGLXVwXrGRZvgK+IDDkXRkQQpMHPQZz+LmxgCqe05aYrO+5Whgg4o/RkzfJryvhZ/oEylg8aTF18yO/YZcJ/AGlrIwXKXd0ieNNIDfPx4t1hqKCSgM77BZjbvypbZBkreVmFMkEQv1yjkNkHnenvfRvDmyZ8m9QS/KYFIUoEufmHxD14HUrAEDI+k15JoO4/AlewnL7r+SAxJKmZuzLl47Ymnx4m0eeeEDLa7cNflvK5CC+eMxi6iqfKO1SnkN9Aj/67VyYbgHvO5r8wXvwEt44Hs2Dcw==
arc-authentication-results	i=1; mx.microsoft.com 1; spf=pass (sender ip is 4.32.41.27) smtp.rcpttodomain=healthesystems.com smtp.mailfrom=uhsweb.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=uhsweb.com; dkim=none (message not signed); arc=none (0)
dkim-signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=uhsweb.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Wj83RCZYauKm/3m3mrK1WVdGoMDvnw14Sjg3gScxly8=; b=EJ3+AZRpjSkbcl+osui+fFoRa4jPzizYZm3ih3vq6YJmXlQbZ+qrNK3BfMluciFx6Z6gMNOs+CpBUgfNpPCHQrSW3I1yzEdDl0hkmu0XqrBUlsixI9R9lbIkgX0Tn+Dub+w15/+kMqRYNfy/2G8PBxBZU4Cdw0m8/g4Jvuk+khU=
x-ms-exchange-senderadcheck	1
x-ms-exchange-transport-crosstenantheadersstamped	IA1PR14MB5754
x-microsoft-antispam	BCL:0;ARA:13230040\|36860700013\|1800799024\|376014\|82310400026;
x-ms-exchange-crosstenant-network-message-id	d1fa929d-ecb3-404a-895c-08dc9a0fc5ba
x-ms-exchange-crosstenant-originalarrivaltime	01 Jul 2024 20:52:51.1509 (UTC)
x-ms-exchange-crosstenant-fromentityheader	HybridOnPrem
x-ms-exchange-crosstenant-id	f972c0cf-85cf-4203-8599-eb90be9f6604
x-ms-exchange-crosstenant-originalattributedtenantconnectingip	TenantId=f972c0cf-85cf-4203-8599-eb90be9f6604;Ip=[4.32.41.27];Helo=[UHSAPPA1]
x-microsoft-antispam-message-info	l6IxLDUW43YBE4AFlMu5DhZA2RBYGsjs/0QZr23lhIk2eZC5rNwDcGxw0cgmpcjAP0rXo8DI8WVqXp6zOZNywrCSOWNJ6AX8nIYyrEKL3PcwCVPnlbBFndGObahJ3niORwBlTaplHRGwnoH7Wq+jPmOjQpiepR24VZ66kYbZv8u/QGBNj5ztkl7TFVbQEEVSTwzDydPeakqcnKP+KiQjDWQN5qIePTpPM9zSfNghZF4QatKYMlCVcug6+rBysmeTWBA5TxMX6IiwBl9K5xeDc5y8Ell/g4czs3RoOIbMXO0RPOSXQQcVRf+mFpbw/mWMgSc0vh1vccf/JBNVwMRO7/eHvmGExseVdJLWt9CR8oiuBWMaVEYj8cL/s+cMgq0RLwHli7v/Cn87Kd3NQk3yGhdTDPN4tp+6IupbEhtTsm5IfhX5omfz3aalG8R1AB7BYmqyyidesuSatoaElFOdkI5NSqVkNZ6RsNCqXwdj0/zwRq6Bb2lpdcStCKW8ANrCu+559OIF8Omi7yhtcJO3cBLKqFMdgQ310+ebrIV7fBAzfikc6WcBXWzfg4nDuJjLb1HfAdUTz2evDcC+Z3KgBYab1hGHINnAMl0QB3pTQad897OF0tNY0SA9Wl4Q1BMp+ixcAmj0N4eESo2iRHTYfIgYiYgF3s4Nw7CsTu47cYkjqkY2VsdvVZ3Pe+2VFq5+mLM+x9RU9ED160kVbtHrVmt87JZ7fNlGHlQdtmqBtZyoTFm37IIfAGE42GyMThzjJ0b5uc2Y0nWR11j6p65Ie9aglJKxzaIelE9J3lNoBQEkBykpdVqIrGj9ca2B/CgCoPED54qfU/oCxoeVhTKvzC8NVMSJr34mSAF/uUut2a7SX/5sdj+WGePbEu4neerV70LpS1Ep7M7NphNPyUBwRFtBvaABdtwGcKtM/sPFCY2wC2j1rRp4kmmIM9vE2COG5Fr078x99lDVbY1HFoPAizBCfuW2/f5DeKB67QJAUnNOXs8s0wGXjniZeSg2D9B2fYfd6q7Bodn0QkHJuc2Q9npXoxDaA3U+ZdYlSmVNR1+uH5VvBcYCzKoUh/ilS8WYeOjxiGTPyjciXJ6E0YDG9hlsknNW2iwlfwGB1i2gJPGsAye3vyIXEQqrKGBn50UQpuBUSPUEPkjizlpFX1/cxtSmCn+ZbBYVTnBVrTFQEZJWheEYos07K7E9aN7LgA0NYazxwk4ij56xP2AAkcS5VtjGi0xijR79Dz6nNcNPmpLpPSuCEbUS5xLxG2i6FaTbpuFMgNRr23OSa5Pvif4HR5cDozclG8YmTBiWFaDFxdgPtf10jj+G0VPhzh9y5smc0dZcPBJBVdNMN46QgLDLUek4ac1gwd7bFhhhLsupjOfvt/KiXG0YC/vxdlcwcitJ11Y/dJa2enYH3KvAAj4il4wqaoTDgENy3EgxhtNiZ8lDMofx7b0gYzewF2N9FJ8x
x-ms-exchange-crosstenant-authsource	MN1PEPF0000F0DF.namprd04.prod.outlook.com
x-ms-exchange-crosstenant-authas	Anonymous
x-proofpoint-guid	wujqk_nyP9ev7KRNc50vWar8lKcrYh6v
x-proofpoint-orig-guid	wujqk_nyP9ev7KRNc50vWar8lKcrYh6v
Content-Type	text/plain; charset="us-ascii"
Content-ID	<13C421D751E8BB4A8F0DFA2416E88CC8@namprd15.prod.outlook.com>
MIME-Version	1.0

File Icon


Icon Hash:	46070c0a8e0c67d6

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 02:02:11.668076038 CEST	53	63346	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	20:01:58
Start date:	01/07/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Bill Status Request - Ref ID%3A A006296591; 2145680.eml"
Imagebase:	0xe40000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	20:02:00
Start date:	01/07/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "56083541-0B70-455E-9F4C-7A9181C89EBC" "D75D793C-0C79-4EC6-8D07-C86AB217D8E4" "7432" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff686790000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nested-Bill Status Request - Ref ID%3A A006296591; 2145680.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A7C3B662-BD03-473A-AE47-07921E69E758

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1719878519187564800_7D00C65E-F213-4F6C-8D55-2A32E12BF56D.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1719878519188838100_7D00C65E-F213-4F6C-8D55-2A32E12BF56D.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240701T2001580936-7432.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: OUTLOOK.EXEPID: 7432, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
nested-Bill Status Request - Ref ID%3A A006296591; 2145680.eml