Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Re Re Re Re INV-428-87443..msg

Overview

General Information

Sample name:Re Re Re Re INV-428-87443..msg
Analysis ID:1466684
MD5:4c7bee5a0bbf91f85f19d452e1eacd00
SHA1:d569ca5dfe2f8c26d22ed95b38d427b11dc86dcb
SHA256:8a6b19cdfabae0e37f8d8cb1d379f4a096a6c1664f1d947c2c445d3a7e899fc0
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 5340 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Re Re Re Re INV-428-87443..msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7236 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BC3AC3B1-AE67-486E-942E-343FE1592A34" "C297FDC9-C691-44F6-9746-1B3F495AB962" "5340" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5340, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.aadrm.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.aadrm.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.cortana.ai
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.office.net
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.onedrive.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://api.scheduler.
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://app.powerbi.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://augloop.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://cdn.entity.
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://clients.config.office.net
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://clients.config.office.net/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://config.edge.skype.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://cortana.ai
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://cortana.ai/api
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://cr.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://d.docs.live.net
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://dev.cortana.ai
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://devnull.onenote.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://directory.services.
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ecs.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://graph.windows.net
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://graph.windows.net/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://invites.office.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://lifecycle.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://login.windows.local
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://make.powerautomate.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://management.azure.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://management.azure.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://messaging.office.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ncus.contentsync.
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://officeapps.live.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://onedrive.live.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://outlook.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://outlook.office.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://outlook.office365.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://outlook.office365.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: Re Re Re Re INV-428-87443..msg, ~WRS{E9171DD2-231E-46D0-A513-B90B601389B3}.tmp.0.drString found in binary or memory: https://portail-demande.chu-brest.fr/servicedesk/customer/portal/2/user/login?destination=portal%2F2
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://res.cdn.office.net
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://service.powerapps.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://settings.outlook.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://staging.cortana.ai
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://substrate.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://tasks.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: ~WRS{E9171DD2-231E-46D0-A513-B90B601389B3}.tmp.0.drString found in binary or memory: https://u11274505.ct.sendgrid.net/ls/click?upn=u001.xbKAJPUlNzBpPoo-2BvJOvExH-2BDY0F3cjPbxyIYVrYi891
Source: Re Re Re Re INV-428-87443..msgString found in binary or memory: https://u11274505.ct.sendgrid.net/wf/open?upn=u001.4PAOISG5fKwGvqjK-2F0r0ij3WvMMXaoFZ5N8AKXsr7TcNrkC
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://wus2.contentsync.
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 656F40F9-DE86-46EA-ACB7-F78822106048.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winMSG@3/18@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240703T0315570081-5340.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Re Re Re Re INV-428-87443..msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BC3AC3B1-AE67-486E-942E-343FE1592A34" "C297FDC9-C691-44F6-9746-1B3F495AB962" "5340" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BC3AC3B1-AE67-486E-942E-343FE1592A34" "C297FDC9-C691-44F6-9746-1B3F495AB962" "5340" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1466684 Sample: Re Re Re Re INV-428-87443..msg Startdate: 03/07/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 66 140 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://api.microsoftstream.com/api/0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://otelrules.svc.static.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://outlook.office.com/autosuggest/api/v1/init?cvid=0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://portail-demande.chu-brest.fr/servicedesk/customer/portal/2/user/login?destination=portal%2F20%Avira URL Cloudsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe
https://entitlement.diagnostics.office.com0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%Avira URL Cloudsafe
https://d.docs.live.net0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:1443656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectors656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/query656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.net656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v1656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://cortana.ai656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/imports656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://cloudfiles.onenote.com/upload.aspx656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://cr.office.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • Avira URL Cloud: safe
unknown
https://portail-demande.chu-brest.fr/servicedesk/customer/portal/2/user/login?destination=portal%2F2Re Re Re Re INV-428-87443..msg, ~WRS{E9171DD2-231E-46D0-A513-B90B601389B3}.tmp.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://otelrules.svc.static.microsoft656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://portal.office.com/account/?ref=ClientMeControl656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://edge.skype.com/registrar/prod656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://graph.ppe.windows.net656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://res.getmicrosoftkey.com/api/redemptionevents656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift-frontdesk.acompli.net656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://tasks.office.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://officeci.azurewebsites.net/api/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.scheduler.656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://my.microsoftpersonalcontent.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://store.office.cn/addinstemplate656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://edge.skype.com/rps656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://globaldisco.crm.dynamics.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://messaging.engagement.office.com/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://dev0-api.acompli.net/autodetect656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://www.odwebp.svc.ms656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.diagnosticssdf.office.com/v2/feedback656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/groups656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://web.microsoftstream.com/video/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.store.officeppe.com/addinstemplate656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://graph.windows.net656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.o365filtering.com/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://officesetup.getmicrosoftkey.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://analysis.windows.net/powerbi/api656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://prod-global-autodetect.acompli.net/autodetect656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://substrate.office.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/autodiscover/autodiscover.json656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://consent.config.office.com/consentcheckin/v1.0/consents656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://d.docs.live.net656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://safelinks.protection.outlook.com/api/GetPolicy656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://ncus.contentsync.656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
http://weather.service.msn.com/data.aspx656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://apis.live.net/v5.0/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://officepyservice.office.net/service.functionality656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://templatesmetadata.office.net/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://messaging.lifecycle.office.com/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://u11274505.ct.sendgrid.net/wf/open?upn=u001.4PAOISG5fKwGvqjK-2F0r0ij3WvMMXaoFZ5N8AKXsr7TcNrkCRe Re Re Re INV-428-87443..msgfalse
  • Avira URL Cloud: safe
unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://pushchannel.1drv.ms656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://management.azure.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://wus2.contentsync.656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://incidents.diagnostics.office.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/ios656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://make.powerautomate.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/api/addins/search656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/odc/insertmedia656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/api/v1.0/me/Activities656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://api.office.net656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://incidents.diagnosticssdf.office.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://asgsmsproxyapi.azurewebsites.net/656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/android/policies656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://u11274505.ct.sendgrid.net/ls/click?upn=u001.xbKAJPUlNzBpPoo-2BvJOvExH-2BDY0F3cjPbxyIYVrYi891~WRS{E9171DD2-231E-46D0-A513-B90B601389B3}.tmp.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://entitlement.diagnostics.office.com656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json656F40F9-DE86-46EA-ACB7-F78822106048.0.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1466684
Start date and time:2024-07-03 09:14:44 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 57s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Re Re Re Re INV-428-87443..msg
Detection:CLEAN
Classification:clean1.winMSG@3/18@0/0
Cookbook Comments:
  • Found application associated with file extension: .msg

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.76.243, 2.19.126.160, 2.19.126.151, 20.189.173.13
  • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, officeclient.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, onedscolprdwus12.westus.cloudapp.azure.com, s-0005.s-msedge.net, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

LLM Input / Output

InputOutput
URL: e-Mail Model: gpt-4o
```json{  "riskscore": 7,  "brand_impersonated": "Unknown",  "reasons": "1. The email contains an external warning message in French, which suggests caution when dealing with external emails. This is a common practice to alert users about potential phishing attempts.\n2. The email subject and body create a sense of urgency by mentioning an invoice and an order number, which is a common tactic used in phishing emails to prompt immediate action.\n3. The email includes an attachment with a generic name 'Commercial Invoice', which is often used in phishing emails to trick users into opening malicious files.\n4. The email does not provide any specific information about the sender or the company, which is unusual for legitimate business communications.\n5. The hyperlink text 'Portail' and the attachment name do not provide any clear indication of a legitimate business or brand, making it difficult to verify the authenticity of the email.\n6. The email lacks personalized information, which is often a sign of phishing attempts as legitimate businesses usually address recipients by their names or provide specific details related to their accounts or transactions."}

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.389462649394526
Encrypted:false
SSDEEP:1536:8RYLPrgswQX+TgG9FgsOkNcAz79ysQqt2y3YFqoQHurcm0FvSfByWyCV72+QJYAP:Tjg/0GgwmiGu27qoQOrt0FvpGknpeEx
MD5:024725883CE48325315995636CCDFB28
SHA1:6DAF1EEA8BF431BAD7A213A025FF2472E6A67837
SHA-256:3418BC3B78F4AB48A6B17EDEB482A53307CB40D1384E499997C81AD1F5914329
SHA-512:488012517BF497432B9E721C95BBA5DD27C7A0838A2F12629E95B16CD31532FAB61C33B6D7F0F842D11D701D3F99BD2BECE43B27DF75A2EF2FA475B3CE730938
Malicious:false
Reputation:low
Preview:TH02...... . k@.........SM01X...,...P:2.............IPM.Activity...........h...............h............H..h,........P....h........X...H..h\hub ...AppD...h..s.0..........h/H.............h........_`.k...h.I..@...I.Dw...h....H...8..k...0....T...............d.........2h...............k..............!h.............. h.`8I..........#h....8.........$hX.......8....."h..............'h..G...........1h/H..<.........0h....4.....k../h....h......kH..h....p...,.....-h ............+h.K..... ................... ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (65536), with no line terminators
Category:dropped
Size (bytes):322260
Entropy (8bit):4.000299760592446
Encrypted:false
SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
MD5:CC90D669144261B198DEAD45AA266572
SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:false
Reputation:moderate, very likely benign file
Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):10
Entropy (8bit):2.0464393446710156
Encrypted:false
SSDEEP:3:LqTU:eTU
MD5:C4E1E760A1602CCFE79B1F86908E90E6
SHA1:EA8BFD593446841927C151BC46BA01138E22D403
SHA-256:2556A9E564D393371E54F00F1340E4060E3873107440550C3E7371588B7D543D
SHA-512:4218DC60F7E7659DF40D5A808112DCFA4E27693D9F7222B291D81C7D61A4E23A712D92F275228309B0648508732B86EB3AEFBF0E15A0CB13E740B1B1FD23B2F0
Malicious:false
Reputation:low
Preview:1719990961

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\656F40F9-DE86-46EA-ACB7-F78822106048

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):174490
Entropy (8bit):5.28963197278415
Encrypted:false
SSDEEP:1536:Vi2JfRAqcbH41gwEOLe7HWaM/o//MRcAZl1p5ihs7EXXmEAD2OdaB:ace7HWaM/o/7XDk2
MD5:A1FA3E81083E056A00332A77F77B1910
SHA1:93C40C2CD16D28AB94A82C233C99F2AE800E276C
SHA-256:11B498A8F4D3A6DD115FB3BB68697471DDF660209C7C73E1A26D251E65C26E7A
SHA-512:0422F0AA6974C981403738E6262352BB6CAC0AD481F6C9661461C96E26D513A87D7C69804353856D36504F1321B2A83BC8E071EEE9A63A28180E0E5A18D841C8
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-07-03T07:15:59">.. Build: 16.0.17812.40128-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:dropped
Size (bytes):4096
Entropy (8bit):0.09304735440217722
Encrypted:false
SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
MD5:D0DE7DB24F7B0C0FE636B34E253F1562
SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
Malicious:false
Reputation:moderate, very likely benign file
Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Rollback Journal
Category:dropped
Size (bytes):4616
Entropy (8bit):0.1384465837476566
Encrypted:false
SSDEEP:3:7FEG2l+1ZQlH/FllkpMRgSWbNFl/sl+ltlslN04l9Xll1ZB:7+/loQlBg9bNFlEs1E39l
MD5:AB6D3FF771AF53B8D217084C5787E6D1
SHA1:98B6132DFB017FFBF8362087B6133D0D60F48ECF
SHA-256:0C3EAE28F625CC327EAFB2FB4A1026FE8BC4DE75805C862D1AAC07AE3D1464AE
SHA-512:8C9725A7C2F71FB01F10B6658AA54BDB3D21B39F004CCE44DA06A0A3E7A70F6190807A41700CEB1321F6D8F38E5DB14F8BD1B5A93C47AA79A7EEE97933514D51
Malicious:false
Reputation:low
Preview:.... .c.......<.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.04450027198542196
Encrypted:false
SSDEEP:3:G4l2ml2XTzR7Y4l2ml2XTzRh/l8lL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2Pd7Y4l2PdhSL9XXPH4l942U
MD5:59E4EA99E5E417E4A804A3334AA613EE
SHA1:CFFE04B3F44DF22535461EE49D9A4ECAADB95DED
SHA-256:44F328D3D015A09359F8F718E7DA9EB2989535B039B325945617A2423CBC06D7
SHA-512:87213F09293E74C7DDBADE803FE417B6CA6A6718EAACF192B86A2A32EEC722E753FEB1DD94609EB58C74CA718D852B670722EC28D553147D02A05A8C59765008
Malicious:false
Reputation:low
Preview:..-......................G.,.0.[.d.&..._.+.aw?....-......................G.,.0.[.d.&..._.+.aw?..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Write-Ahead Log, version 3007000
Category:modified
Size (bytes):45352
Entropy (8bit):0.3930650629286964
Encrypted:false
SSDEEP:24:K5z9XQMIzRDOaNjill7DBtDi4kZERDO3Ylxqt8VtbDBtDi4kZERDO:Qz9XQjdill7DYMaYlxO8VFDYM
MD5:FA7C9E081B92E5A667C03FA860FCD73D
SHA1:2C87C9236D6C64BE6E8416F916B0D5763021B2E3
SHA-256:860C3D90626FB08BFC39B82B54AB5BE432BE33A4B5B401EC2EF8E10A354B54E4
SHA-512:F91887850A752407DD2B959307C766E54C1BCA8D082CE520D56E3DF5768F70E3FF5C10D3EBEF99E149CA85BCD94A237CEA1011C01D6ECCFC8D2269722314E294
Malicious:false
Reputation:low
Preview:7....-...........d.&..._..g...M..........d.&..._C\\..Q'-SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1F5EA51D.dat

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left], baseline, precision 8, 30x30, components 3
Category:dropped
Size (bytes):3290
Entropy (8bit):6.3598969641055945
Encrypted:false
SSDEEP:48:KVKkh3qk/3s8603qk0eenDs2QDuERAm+OPPvZFQ4RYZuLBm46r0Na:lpkKTk0jsF6EP/Pxm4SuLJ6r08
MD5:3E5AAAE354748CD8F986C50D00ADC743
SHA1:F58D255D188CF376FDECE3778A79A76178D41C7F
SHA-256:16CC49554547681628F3E66390BCE8348B6119D19752D35D7D4398DBC59BF6CA
SHA-512:8822AD38E87FAC5279C7821D264E85B9FBBDF8592158336FDBFB1A31EF08817B4CEE1062AF8D6A00244534D26EF7053B5C936852C4CAFC46197FFD25F9FFECD1
Malicious:false
Reputation:low
Preview:......JFIF.....`.`......Exif..MM.*...................;.........V.i.........d.......................J................................................................................................................................................................................................................................................................................Administrator..................................47..........47..............................................................................................................................................................................................................................................................................................2024:06:26 20:32:36.2024:06:26 20:32:36...A.d.m.i.n.i.s.t.r.a.t.o.r...... http://ns.adobe.com/xap/1.0/.<?xpacket begin='.' id='W5M0MpCehiHzreSzNTczkc9d'?>..<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E9171DD2-231E-46D0-A513-B90B601389B3}.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):5188
Entropy (8bit):2.931013144821034
Encrypted:false
SSDEEP:96:NXO8v8HETLDGAVK1cfZGKE+yRgggggbfuU3MRSE2Tn:NXO8EGK1gGKouGU3gSE2Tn
MD5:49885C0B16E38D2A58F2B9110D05F448
SHA1:84EBF3DDA6A924FAAE1C42ED6982738C43BC7CD3
SHA-256:C73F78FB28E747405B9D9980D3343CB417CCE02AF8D247FF51539B13959BBA29
SHA-512:99B0DE9D47AAF6206A2FACB212F0D781EC4007EE538A9170D1A6C5157C32FC5297A77A182AC3A8404BACF0F44972C9AE5B16283E966CE9BD4615747863ABC389
Malicious:false
Reputation:low
Preview:....<.b.o.d.y.....M.E.S.S.A.G.E. .E.X.T.E.R.N.E. .:. ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................r...t...x..........................................................................................................................................................................................................................................................................................................................................................................-D..M.........................<.\$.*...$..$.If........!v..h.#v....:V.......t.....6......5.......4

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1719990957298855900_97BBFC6E-47C3-4596-925E-1ECEBB96BE15.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (28736), with CRLF line terminators
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.1596782673195948
Encrypted:false
SSDEEP:1536:bWdcEfGa4XTWcoctDb1yfRCqs24gJv2jZmpuvAAVaAKB5:mf1Inoc5UKA
MD5:CB64E44C3859B7D4571C14300F2691F4
SHA1:731F451C804D457105408CF4D15C42AF0CB3EC2D
SHA-256:DA8D6CD4AE1D429C2415E9AC3C6792E392866604A29218100CDD9E07558349DA
SHA-512:D87E157052A0DBB97A5688F0FE8FA6B5F463826EE8A8AA8B8193A167B64051A362FE99A6045CF4A951EEA16BC0D1F33D92045FE9DC65EED0F3B3FF47A7039247
Malicious:false
Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..07/03/2024 07:15:57.347.OUTLOOK (0x14DC).0x8F8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":15,"Time":"2024-07-03T07:15:57.347Z","Contract":"Office.System.Activity","Activity.CV":"bvy7l8NHlkWSXh7Ou5a+FQ.4.9","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...07/03/2024 07:15:57.362.OUTLOOK (0x14DC).0x8F8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-07-03T07:15:57.362Z","Contract":"Office.System.Activity","Activity.CV":"bvy7l8NHlkWSXh7Ou5a+FQ.4.10","Activity.Duration":11838,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1719990957299525700_97BBFC6E-47C3-4596-925E-1ECEBB96BE15.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240703T0315570081-5340.etl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):94208
Entropy (8bit):4.477239145356983
Encrypted:false
SSDEEP:768:EHyHx4/fMiaWxv/cv+QHM88f9jYQtFILtYwRbfb/9nu0+QnRJp6ocB4xSIu/XzXr:OB4k89rDkXX+Hmc2
MD5:21DA8C65C22C7DD837F592FFAF6FC28D
SHA1:F926E6BB255122F526656F02D4B455C2597EB433
SHA-256:10D48CE5A81E573B49AAF049C6B5B7C8D3C1F4A210C2C1448E9CABCE9A3CFD63
SHA-512:4F875644DC3477FCA48994312CF28FA388712C17673FCB87C509A51F70B562CC9A86C86792F47C2EAB193F9FF0B5AA612890C6AC284F9E3D14C37A1B274EC6BD
Malicious:false
Preview:............................................................................d...........m.a.....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................I7.\...........m.a.............v.2._.O.U.T.L.O.O.K.:.1.4.d.c.:.2.a.b.3.8.a.3.9.c.1.5.b.4.7.8.d.9.4.e.9.2.d.b.9.8.f.4.9.3.b.6.8...C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.7.0.3.T.0.3.1.5.5.7.0.0.8.1.-.5.3.4.0...e.t.l...........P.P...........d.....................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7B6E4360F79C662A.TMP

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):163840
Entropy (8bit):0.36856571289270146
Encrypted:false
SSDEEP:192:Gn1N5I/9yCB/N0UINW+ZQJH5aD4ecNgz0XHWQOoqAbAFAqwNh/:G1Do9yCB10UIN3IH5W4ebz0XHOoqMu
MD5:2D2A24AC7C991F92FD71DBC36CACB25C
SHA1:3BCC8B0593A05132BA8349D8B15169ADE0BDBAE6
SHA-256:94635D5F7A9EFC4A94C9DBEECF0DC390D0F8DDB5B76DCC6A5541F9D66A75AAB5
SHA-512:D986BAFF7939B0E882002398D5F6DD19B35E8C18A83FCF20B31382013301510C4521D474E0E3BF89834BD63527DCFC91340EBA2A38C10F61E5883FA3133996FC
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:3:+6nz/t:+Mz
MD5:68294B493991A7E57F9B47E4DDE2F2A9
SHA1:82DCFFD74723B72F7A59E5167143E9119A2B563E
SHA-256:479E20DD5221BAFA5B31719333306116D4D51998A623A78DB72331FF687B494F
SHA-512:2CF98C97745AA04080EDB619FB3194350422B16B04FD4697F9B9872C9C6034C1D83935013B26CD8758123A45B49F54B2E7680CA21B45FF22D0DFCF1D82C8E626
Malicious:false
Preview:....._........................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):16384
Entropy (8bit):0.670918017091338
Encrypted:false
SSDEEP:12:rl3baFFClsqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCIT:rqQmnq1Py961A
MD5:7367000E90A3A51DA9818B2FA6B9072E
SHA1:D53A1BE75FE64846A951A3549A4DD708B94F3190
SHA-256:28E9C7BFE71742C06C22F2ADE07B7CEC2BB45D3B01B05275AC4A92EEFE63D503
SHA-512:BC7DE1B5C33BF214398CDF5D65E4CB016268DE124B015181926B62F2067C2770FCF2E88C5B41FD6F10E475DA7132A815E29FEAFBBB10300A6442B05BE784A8F3
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):1.496870646568913
Encrypted:false
SSDEEP:768:6Qcz0ngfGK6W5hCY1kRPpNCJ0bLGgX8BUTIZ:FSGK6AC6dSbFXeNZ
MD5:C30F8664E850269EB66A56EF85CAF8C1
SHA1:C8D71339EDF02D0CEECFC0BFD6538C781F6E9B94
SHA-256:22484C8D055BE5FE188E403011D3576DD935EEEF7738892CE67FBCF08DB901E9
SHA-512:4B64FA1389C2A494B958AD722B34C9AE9C0502F894F209B710A764EE9A49BD7C782F265991F63D0D79146CA0EC30BA2220CE5576822C2A15FCAFDFE7F70243DB
Malicious:false
Preview:!BDN.=.$SM......\....Y..................[................@...........@...@...................................@...........................................................................$.......D.......@..........................................................................................................................................................................................................................................................................................................................H.......e..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):131072
Entropy (8bit):0.8262524683589342
Encrypted:false
SSDEEP:192:l3oOJMEDe4MrzTJsH1JULSCLccdtqc7Ytrx40:l3XJ5DedqH3wwqE
MD5:260E345935EEA4955159E515E1716750
SHA1:001451B5097F1DD9AA2C39034AF4B67E796F269D
SHA-256:A4DA217CD0C9C08BE9CEDFB89D5A123454B3DBFA716D2D47B4461369A15887E1
SHA-512:D80DA7D6A7DB03C0C9ECB01731FCE17C9D60547F77318C2D4955C0244871267F4AA93DA0636F528ABD475B62507976AA1FCA21EAB6049E16E2CCC5C2F8B07B81
Malicious:false
Preview:....C...H...........,.;.......................#.!BDN.=.$SM......\....Y..................[................@...........@...@...................................@...........................................................................$.......D.......@..........................................................................................................................................................................................................................................................................................................................H.......e......,.;..........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:CDFV2 Microsoft Outlook Message
Entropy (8bit):4.020397067405745
TrID:
  • Outlook Message (71009/1) 58.92%
  • Outlook Form Template (41509/1) 34.44%
  • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:Re Re Re Re INV-428-87443..msg
File size:50'688 bytes
MD5:4c7bee5a0bbf91f85f19d452e1eacd00
SHA1:d569ca5dfe2f8c26d22ed95b38d427b11dc86dcb
SHA256:8a6b19cdfabae0e37f8d8cb1d379f4a096a6c1664f1d947c2c445d3a7e899fc0
SHA512:e4b0ff19fcee4889b747d7d7178da7e5c297afd6ce1e4575466ddc950faca8ce0842c88a424bde64aa5bb7d9c8ca2f17ca84eefc832af3ef81b8afdaad9738b4
SSDEEP:768:VtlUJsKSErVwHpSvtz60W6z8E1AK8sK3B3taZ/8sS7Vvh4VnVJ4e:8qMV6Sv560WPpdaZ/8bH
TLSH:AB33D22136E54A09F37A9F324DF6C0D78526BCC2FD11DB4F3295730E1A71A41A9B1B2A
File Content Preview:........................>......................................................................................................................................................................................................................................

Static Mail

General

Subject:Re: Re: Re: Re: INV-428-87443.
From:"Account-Payable@Chu-brest" <Account-Payable@chu-brest>
To:dba@chu-brest.fr
Cc:
BCC:
Date:Wed, 03 Jul 2024 08:19:07 +0200
Communications:
  • MESSAGE EXTERNE : Vrifier imprativement les expditeurs avant de cliquer sur un lien ou ouvrir une pice jointe. En cas de doute, contactez la Centrale d'Appels via le <https://portail-demande.chu-brest.fr/servicedesk/customer/portal/2/user/login?destination=portal%2F2> Portail. Please find attached Invoice #29080 for your order PO 3223972. PI- 595669 -Commercial Invoice 60486.pdf Message for the dba@chu-brest.fr only, if received in error, please notify the sender <https://u11274505.ct.sendgrid.net/wf/open?upn=u001.4PAOISG5fKwGvqjK-2F0r0ij3WvMMXaoFZ5N8AKXsr7TcNrkCIZFAidk3wIqO-2FR6VOzj7w-2F4I13onvjtHWdOt27lMsulNquOW9VdCnkj37pTBc7tASAjMJVI6QerJMktjBCVPSbHSfSvB3tveXVQDeiDkdWVtee1nkqjvCz3kTUk2unfwRr-2F7ZpW1eH94viwzoqFqrXxlmz51VcT-2BNH-2B4e0Q-3D-3D>
Attachments:
  • asdfsd2.JPG

Headers

Key Value
Receivedfrom Administrator (unknown)
15.2.1544.11 via Mailbox Transport; Wed, 3 Jul 2024 0819:09 +0200
0819:09 +0200
for <dba@chu-brest.fr>; Wed, 3 Jul 2024 0819:08 +0200 (CEST)
DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net;
h=fromsubject:content-type:mime-version:to:cc:content-type:from:
subjectto;
2024-07-03 0619:07.708671592 +0000 UTC m=+479482.121144089
Wed, 03 Jul 2024 0619:07.615 +0000 (UTC)
From"Account-Payable@Chu-brest" <Account-Payable@chu-brest>
SubjectRe: Re: Re: Re: INV-428-87443.
Content-Typemultipart/related; type="multipart/alternative"; boundary="TpODVw3RoAMCdZyugGRqh9PUE6pfG2=_6v"
MIME-Version1.0
DateWed, 3 Jul 2024 06:19:07 +0000
Priorityurgent
X-Priority2
Importancehigh
Message-ID<20240307081907E770AF8C0E$E4C998DDBA@chu-brest>
X-SG-EID=?us-ascii?Q?u001=2EvmBzTggZXly+QgOyIxQ5CqpTQWof0lcExlgFeNIWsXVzeJsyCJrVo5REA?=
Todba@chu-brest.fr
X-Entity-IDu001.7K/DRYDiIiYbu/binPxA/Q==
X-Originating-IP[159.183.224.10]
X-Envelope-Frombounces+11274505-441d-dba=chu-brest.fr@sendgrid.net
X-VRC-SPAM-STATUS0,96,gggruggvucftvghtrhhoucdtuddrgeeftddrudeigddutdegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftvedpggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedttdenucfttghvugcuffgrthgvucgrnhhomhgrlhihucdlvddumdenogeurgguqdfhrhhomhculdektddmnegonfftqdeuohhunhguqdftfedvucdlhedmnefjrghmjfgvrgguvghrhfhivghlugcujfgvrgguvghrucfutghorhhinhhgucdlqddutddmnecujfgurhephffutgggfffrkgfkvfesrhdtreertddtjeenucfhrhhomhepfdettggtohhunhhtqdfrrgihrggslhgvseevhhhuqdgsrhgvshhtfdcuoeettggtohhunhhtqdfrrgihrggslhgvsegthhhuqdgsrhgvshhtqeenucggtffrrghtthgvrhhnpeelffetgfeuhfeltdfftdevvdejgeeitdegveffudekhefhgfegueetjefgkeehleenucffohhmrghinhepshgvnhgughhrihgurdhnvghtnecukfhppeduheelrddukeefrddvvdegrddutdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdpmhgrgihmshhgshhiiigvpedutdegkeehjeeipdhinhgvthepudehledrudekfedrvddvgedruddtpdhhvghlohepshdrfihfsghtiihhhhigrdhouhhtsghouhhnugdqmhgrihhlrdhsvghnughgrhhiugdrnhgvthdpmhgrihhlfhhrohhmpegsohhunhgtvghsodduuddvjeeghedthedqgeegud
X-VRC-SPAM-STATElegit
X-VRC-MX-QID4WDV3d0PlKz9fW7
X-VRC-POLICY-STATUSt=1,a=1,l=0
Return-Pathbounces+11274505-441d-dba=chu-brest.fr@sendgrid.net
X-MS-Exchange-Organization-Network-Message-Idd80a951b-4090-438a-81b1-08dc9b280cc7
X-Auto-Response-SuppressDR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSourceVS-EXCH19-P2.chu-brest.fr
X-MS-Exchange-Organization-AuthAsAnonymous
X-MS-Exchange-Transport-EndToEndLatency00:00:00.2015085
X-MS-Exchange-Processed-By-BccFoldering15.02.1544.011
dateWed, 03 Jul 2024 08:19:07 +0200

File Icon

Icon Hash:c4e1928eacb280a2

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 3, 2024 09:16:12.719552994 CEST53588561.1.1.1192.168.2.8
Jul 3, 2024 09:16:14.186939955 CEST53634451.1.1.1192.168.2.8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:03:15:56
Start date:03/07/2024
Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Re Re Re Re INV-428-87443..msg"
Imagebase:0x6a0000
File size:34'446'744 bytes
MD5 hash:91A5292942864110ED734005B7E005C0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:2
Start time:03:15:59
Start date:03/07/2024
Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BC3AC3B1-AE67-486E-942E-343FE1592A34" "C297FDC9-C691-44F6-9746-1B3F495AB962" "5340" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:0x7ff6842b0000
File size:710'048 bytes
MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly