Edit tour

Windows Analysis Report
7253e39d-9e2a-897f-f7fc-1445151717e5.eml

Overview

General Information

Sample name:	7253e39d-9e2a-897f-f7fc-1445151717e5.eml
Analysis ID:	1466760
MD5:	b6957addecd9d5eda3bc45d97e572460
SHA1:	fc9bc687012972d825545d7c81d16193bb257240
SHA256:	80f0d6d592417ef40aaa4fd93de082f2d7af240061d0326a51d256c33db0f051
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected suspicious e-Mail

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 4980 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\7253e39d-9e2a-897f-f7fc-1445151717e5.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 1176 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D73A3FCD-DDD5-4483-A749-CEC5746836E0" "1C95EE42-F715-4654-9F8D-35166513BDFC" "4980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 4980, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml, ~WRS{F07E678E-3987-4E93-A1D0-AD736AE1D1DC}.tmp.0.dr	String found in binary or memory: https://aka.ms/privacy
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.office.net
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://api.scheduler.
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://app.powerbi.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://augloop.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://bombeirosamora-my.sh=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://bombeirosamora-my.sharepoint.com/:o:/g/p=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bomb=
Source: ~WRS{F07E678E-3987-4E93-A1D0-AD736AE1D1DC}.tmp.0.dr	String found in binary or memory: https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZG
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://cdn.entity.
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://cortana.ai
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://cr.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://directory.services.
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ecs.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://graph.windows.net
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://invites.office.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://login.windows.local
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://management.azure.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://management.azure.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://outlook.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://service.powerapps.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://static2.sharepointon=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://static2.sharepointonl=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://static2.sharepointonline.com/f=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://static2.sharepointonline.com/files/fab=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://static2.sharepointonline.com/files/fabri=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/asse=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/f=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/seg=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeu=
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://static2.sharepointonline=
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://substrate.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://tasks.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 7253e39d-9e2a-897f-f7fc-1445151717e5.eml	String found in binary or memory: https://westeuroper-notifyp.svc.ms:443/api/v2=
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winEML@3/15@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240703T0507270535-4980.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\7253e39d-9e2a-897f-f7fc-1445151717e5.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D73A3FCD-DDD5-4483-A749-CEC5746836E0" "1C95EE42-F715-4654-9F8D-35166513BDFC" "4980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D73A3FCD-DDD5-4483-A749-CEC5746836E0" "1C95EE42-F715-4654-9F8D-35166513BDFC" "4980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected suspicious e-Mail

Source: e-Mail

LLM: Score: 8 Reasons: The email impersonates Microsoft by using its logo and branding elements. The subject line and body create a sense of urgency with 'Urgent Request' to induce clicks. The sender's name 'Geral Comando | Bombeiros Mistos Amora' does not match typical Microsoft communications, suggesting spoofing. The email prompts the recipient to click on a link, which is a common phishing tactic. The link's destination is not visible, which is suspicious.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://api.microsoftstream.com/api/	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://otelrules.svc.static.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://outlook.office.com/autosuggest/api/v1/init?cvid=	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://static2.sharepointonl=	0%	Avira URL Cloud	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://bombeirosamora-my.sharepoint.com/:o:/g/p=	0%	Avira URL Cloud	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://static2.sharepointonline=	0%	Avira URL Cloud	safe
https://my.microsoftpersonalcontent.com	0%	Avira URL Cloud	safe
https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZG	0%	Avira URL Cloud	safe
https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando=	0%	Avira URL Cloud	safe
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://cortana.ai	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://static2.sharepointonl=	7253e39d-9e2a-897f-f7fc-1445151717e5.eml	false	Avira URL Cloud: safe	unknown
https://entitlement.diagnosticssdf.office.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://ic3.teams.office.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://bombeirosamora-my.sharepoint.com/:o:/g/p=	7253e39d-9e2a-897f-f7fc-1445151717e5.eml	false	Avira URL Cloud: safe	unknown
https://www.yammer.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando=	7253e39d-9e2a-897f-f7fc-1445151717e5.eml	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	Avira URL Cloud: safe	unknown
https://static2.sharepointonline=	7253e39d-9e2a-897f-f7fc-1445151717e5.eml	false	Avira URL Cloud: safe	unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://globaldisco.crm.dynamics.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZG	~WRS{F07E678E-3987-4E93-A1D0-AD736AE1D1DC}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	Avira URL Cloud: safe	unknown
https://safelinks.protection.outlook.com/api/GetPolicy	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	Avira URL Cloud: safe	unknown
https://static2.sharepointon=	7253e39d-9e2a-897f-f7fc-1445151717e5.eml	false	Avira URL Cloud: safe	unknown
https://static2.sharepointonline.com/files/fabri=	7253e39d-9e2a-897f-f7fc-1445151717e5.eml	false	Avira URL Cloud: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bomb=	7253e39d-9e2a-897f-f7fc-1445151717e5.eml	false	Avira URL Cloud: safe	unknown
https://templatesmetadata.office.net/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeu=	7253e39d-9e2a-897f-f7fc-1445151717e5.eml	false	Avira URL Cloud: safe	unknown
https://messaging.lifecycle.office.com/	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466760
Start date and time:	2024-07-03 11:06:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7253e39d-9e2a-897f-f7fc-1445151717e5.eml
Detection:	SUS
Classification:	sus21.winEML@3/15@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 20.42.65.84, 13.89.179.13
Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, onedscolprdcus21.centralus.cloudapp.azure.com, ocsp.digicert.com, s-0005.s-msedge.net, config.officeapps.live.com, onedscolprdeus02.eastus.cloudapp.azure.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Input	Output
URL: e-Mail Model: gpt-4o	```json{ "riskscore": 8, "brand_impersonated": "Microsoft", "reasons": "The email impersonates Microsoft by using its logo and branding elements. The subject line and body create a sense of urgency with 'Urgent Request' to induce clicks. The sender's name 'Geral Comando \| Bombeiros Mistos Amora' does not match typical Microsoft communications, suggesting spoofing. The email prompts the recipient to click on a link, which is a common phishing tactic. The link's destination is not visible, which is suspicious."}

URL: e-Mail Model: gpt-4o

```json{  "riskscore": 8,  "brand_impersonated": "Microsoft",  "reasons": "The email impersonates Microsoft by using its logo and branding elements. The subject line and body create a sense of urgency with 'Urgent Request' to induce clicks. The sender's name 'Geral Comando | Bombeiros Mistos Amora' does not match typical Microsoft communications, suggesting spoofing. The email prompts the recipient to click on a link, which is a common phishing tactic. The link's destination is not visible, which is suspicious."}

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.383218206903574
Encrypted:	false
SSDEEP:	1536:35YLQpgsaMQuyI7yIgsAyNcAz79ysQqt2wmT0qoQPGrcm0FvrGphys6JaSCN0PBC:e6geRNgYmiGu2uqoQurt0Fv//WaTHdy
MD5:	19C4C7A431BBAE5AEF800F49BB72A2A8
SHA1:	50550EEE11CF9EA114DA7D71229FF213419B3E0C
SHA-256:	01E7DB8275EE06C1947B702C549642CF234DDD9D661CF8504212F6B1E51C7604
SHA-512:	6DE30AF2DE431A67122980EBC876EDDEB527B85AF01FC5A5C54C79D8C1AEF91F76F4F6D72CBF66357FD86EDA7502553994A787F6C263E7D9B20D2D95A2CE7B6B
Malicious:	false
Reputation:	low
Preview:	TH02...... .0.rb(.......SM01X...,...P0db(...........IPM.Activity...........h...............h............H..h\.......v-D?...h............H..h\eng ...r\Ap...h....0..........h>/.T...........h........_`.k...hb..T@...I.6w...h....H...8..k...0....T...............d.........2h...............k2.6.....1.;...!h.............. h..f.........#h....8.........$h........8....."h0......`....'h..]...........1h>/.T<.........0h....4.....k../h....h......kH..h....p...\.....-h .............+h.(.T....P................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	174490
Entropy (8bit):	5.2896218899905705
Encrypted:	false
SSDEEP:	1536:ji2JfRAqcbH41gwEOLe7HWaM/o//MRcAZl1p5ihs7EXXmEAD2OdaB:Mce7HWaM/o/7XDk2
MD5:	C96241F48BFDD8302208E12528E09FDF
SHA1:	4475EAFB6F3D648D554BBCBC20F2E06197C24B3C
SHA-256:	2E2F22A502A68F63D90E61E41DA80561C9DD30B6DCDB9EA52CCB790A574A32AE
SHA-512:	0048DDD1DCAC7C553725EF1216ED1165C82567AB9333D289388AC17753F70623CBEDDE60572571890ED5F2BA4D25454492C1974EB689D0031B274B4101A29CA8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-07-03T09:07:30">.. Build: 16.0.17812.40128-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04591939678467531
Encrypted:	false
SSDEEP:	3:GtlxtjlIfYd4QDPQDSlHI3lxtjlIfYd4QDPQDS9l//1R9//8l1lvlll1lllwlvlh:GtldXH4ldXftX9X01PH4l942wU
MD5:	444CBE408094938ABFAFE333802D3F93
SHA1:	6DAA148DB1ED38515D5C8F8A47F11F359268201C
SHA-256:	610381E3013AF4A48B0128EACA1EB0BC9AD00EEBC0B7C22B06D93067F622E23E
SHA-512:	BC906E2419CC6BB72AB665C119973BA61ADAEC68EF5B93252B8DA962FA3F1A4F10607911E00101220AACD78DC3911A19DB0D80C1286982E402A153B834E7E581
Malicious:	false
Reputation:	low
Preview:	..-.....................z.jV....#J.5...2j.}.n....-.....................z.jV....#J.5...2j.}.n..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.4851805161610792
Encrypted:	false
SSDEEP:	48:WoQ1R6mUll7DYMc5vDzO8VFDYMZyiBO8VFDYML:avill4VvfjVG6yIjVGC
MD5:	E1F3FCBFD8E828ACB66CEC2C5F59F49F
SHA1:	D9B1DFD3F5D636DDF68BF0F452CA2F1C8910CB55
SHA-256:	01D576A21798F0F2181A8D4A9A331E8AFBB49F2DB2DBB90365738E596BF8CFC0
SHA-512:	D8354C04715A714F5DAD074CD86EB0CF03BDF98A0E85C5B2843BD6EB7B37B51729DA9127937F146737968A86558F07AD37189C9C7A719494EDAEA134FDBE3500
Malicious:	false
Reputation:	low
Preview:	7....-...........#J.5...1&.)...........#J.5...i.NW....SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\31F17C90.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2133
Entropy (8bit):	7.86298626930999
Encrypted:	false
SSDEEP:	48:ieGreai8Z6DREuByJTO4X4+0aP2raRG1/1wBadvpP3jc:DmeaiGSRDByJ657ac9Y
MD5:	4DF1205B01187B26FF893615B19C65DE
SHA1:	13856C6DCE2C8C328153C9C6FD37643EDCC45B81
SHA-256:	5931FFF65F3CF45DA0DDD4F29D39BA23063A3735A8F99868DF6C23E26BD61788
SHA-512:	074239FBFE2D5B34EFDD6EC0255A459CFDDCA9538FDAE5F371F50414B4EC305D551461CBD852294E89197BD8375E7FC5C888657971281AFCCC06051AFA01FA1E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...0...0.....W.......pHYs...%...%.IR$.....sRGB.........gAMA......a.....IDATx..ZOL.U..fkmM..%...p.S....M.<.....M!R....TL...x.=......<.5.......S6.R....U...K/.t...v.0.3........v.......}.B[.UU.D.Z..:>T..z..6...H.HQf..G.....O.H..x..p#...3.W"L....u.%c... 5.b.k.Q4....Zq.....BKKK.<?7G..iJOO...&.X.S..R......J<...{L..b....8....{C^..$..:.u.'nB.......?.H$B[.L&C.##.da.......FI.Tu_......GX=.O..uy.......).........n.ls.YP.A~gGG'.9{...../0....;l....ZZZimu.fggw......T..r..T... ..==B....{r`.gw.4Z...kimu\|n.U........fO~_+..h.....tv.#M[..~.`..B!ZXX....-.4.=...B.s.=...p.n-.}p.J.P0X....Jg...#Z^^&._..9joo.6>0.)....:.s.."!.X....k..........~...dR.<t.D......].pQ\...+........dxBr.@.=..m0..@....8......F_'`.pb...........#n&.._..Lf.$.HD.r]..\N...P.}...9.e..<....R..!q....K..Q.....T0.0.w...B.c...Tu$.....7..a..N0.^'.._.....<j._..V.........4...............[C..X.*.@....;...s.~....@.:...<.9##..ni.......".~M.s.) ....[I.H[...6....T.{<...\|.F..3..Q......1...+......K..3.-...T.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\50C6020B.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	PNG image data, 96 x 96, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	558
Entropy (8bit):	7.123275457405295
Encrypted:	false
SSDEEP:	12:6v/7FAPC60nddiW9WrsCwje1QVTCkEE91UrMJRj:CyC6gHJCwjCQjE8Lj
MD5:	D9DCA1CAC67A8515C5E7572528BDD5A2
SHA1:	E758AF30B557F3E6DC91FCF3F114725BE898B4F4
SHA-256:	D03539CC6A66D43CFD2347316E7F93720B2D0D9228836EAA86726D87A5113D90
SHA-512:	1AF4329F527D2F0B01CD0C18AA614E439EF4B0A5ABC69658A6B04F7236F3CFE769E9C0E79C100C3C6AD721456D791E9BCC502F7EF84225A76BD84F9A79BC3F11
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...`...`......F..... cHRM..z&..............u0...`..:....p..Q<...iPLTE...#. .:z.:z.:z.:z.:z.:z.:z.:z.:z.:ze2`....................k..R....:z..w..F.................^....n.......tRNS.f/?o......_...R.....bKGD....H....IDATh....n.@..`Z.M..n.F.....R...4....n..h...%.I.5.$.....!@....h................o.!.....n....Y....?.V.......lN.........+u....\|..Z.7._.~;. . ..2..\|..z....gh@....]...}ue1-2.#A...U.....n..; J.B..\ ..w........2..P..h..f..I.m.c.......r.rG .%O......lQ..l..8.....0D.<....Q.0G{b.A.p..X`@.....W-....hT4.."D]....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EAF4B351.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	PNG image data, 172 x 40, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5135
Entropy (8bit):	7.947582392550244
Encrypted:	false
SSDEEP:	96:str81ZybZgtA7BQVfSFwfFC6t0yT+elXWowAtsBiojv2O8CsMcf8:Fytgt0BQVfSCOyTXlGo/wZ8Z8
MD5:	10756BD9D810A0202CF4B5E7828160C0
SHA1:	42DFDBE0F7B69C4A1A37958F63A242C143209699
SHA-256:	8BA923AECE3E1731B7CDF398D30EEE632B285A5CC91F3E6A062BB72713F38644
SHA-512:	EABC98A8D29D57C356679CB3E67BA7DAD4684D9F73083FD2D68E17413061DFD2F2626AA7073D71170633C316EB08AF55DD1D5D7490BA3DAF760A25146F68B140
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......(.....c.......sRGB.........IDATx...x....;IN.D.`HP....S.T].eUJ...BE...>...E@.......P)....n..Z.u.V(n....4.......{N........w.I.I..C...df.y.wf.y.w.1...@'......'&..........)..$Y....&.:.^.mRMy...f.....-..T..C..R.@..Vi..e4.c..=..6v......k4.u....Z.ju...57....//#^.......}-n...%-.GaS...........WG@IIVm._4)..-.t..u......RLe]..A.P..ExIS8..=.m.n.5.R...+.%..v}m......uS.7Ha.:../m.....p"$$.y$.P..3W.."...&.SI ..v..':..%0u......,kdccc..........>.......+.E.......Q[[.733....y.gN\H..z....6..>...z..4_%..z..O?...G"..&r...?$...LJJ..m...bP.zboH.Jl....]........e.~.Bpb(....o@..."...9s........V..V...W.....No./P..B.NSS.:`...%.-I.,,....@...r.tN7Q.6..wz.....X-.."F....Q7...G.-dd......%..._..!2Y.......(....6..^...e.h.BA.a^.....x..{./....&d.X.~}#.\QQQ../.h#...g.WX..-..8.....@2I.._...RnF.'N.. .Ap...".q.A.\|..4...R..Q.H....O3,.......g!.1.'...0...j.....=w..i......8..=..W..]..`.y..Fy.y....o.......y....`........:.7.1s......M.,.m}..^.1..\|._Y..?..E.A..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EDD301B2.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2877
Entropy (8bit):	7.9028514706867385
Encrypted:	false
SSDEEP:	48:RgHrMEg/Nf3otqzX6xRFyvGmgoeK0vhHGic8Z/FtFDzioSPHDNOM9UqjFm:MrME6LEF0Y1K0vhHGS1WoSvDNOt2m
MD5:	1E13EE0ED09C4AF1ADFB6C0D280879B0
SHA1:	1192A79F7B4C4FF814583743F8C66ACA7ECB8ACF
SHA-256:	E2395FBA25D3FB8A971345CA65D144F7D9C9D933F70409165446E63D18C0958D
SHA-512:	4D86A41DE4B3CA8BB73BF641838953BE03FFF34A890B7BDDC506276186D42979BC99A7DC5553005F135AA1C02137C85C6A2623498C78A617CC195E28FD8B3C95
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...`...`......w8....sRGB.........IDATx..\}l.G..o..Z....$%i....4P5. Q.........@...nZ.wg.....%.$M........-.T>$..B.........MA..4Q...v...g..v....q..H.}......};o.D:h.4.....F.rC ..MBp..6.n@x..{(.?.6..1..z.............&....D....P.3A. ....).?.4...2...&..?.$...J.d...a&....M@5..^..A....".LBo.q.d.......B.a_I.....i....#...k.. 'h..-.;QmTG...1an...cN..i.."%....5...j...'bQ-...$.s.......T.8.. .$..N...Y..k..P...a..g....>`...Y[#.-..._M.m. .$.^Ed,.Z..}Y..}.2.c..X....c...$.e{..I.+.+.n.TH........7..k..wCm.....6.'..rd..U0.A..WT.vi.O@"..Jq'F...........NH`.:eb.9.gJ.5..=s.....\...F;.."@fH.i..%\..Z......N3.x..%.n...............}.i..a.....~.IL.c...7...b....j.!<...ufR.{.._....>..wc...b+.\..._....8.L..f..&..".0...@.%.g ..%...I.-R*D..3!^!..2.(k[..VS.......&.w.I......-..;.{.p..H.4..G.C./.z..UpB.S.2=.U.s.U..]....c...x.4P...c2.{.>.g..v....T.=G..`....:AqJb..{.v.4.......3h.R...3....$u......oVZ.7..a.)b.T..!........Z5.y.H.....h.UCgdr-.?...~..~yF.R,.{.$Hg.=..LB.3!.W...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F07E678E-3987-4E93-A1D0-AD736AE1D1DC}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	12588
Entropy (8bit):	3.2885144264126134
Encrypted:	false
SSDEEP:	96:aIBA1tVW+GX444443wsYRkFFGkFFIreJ4444440OEs0BkFFYzPiRgggVQTNlHKkT:B8tVW+GQ6O4iYQNlH5IgJB5qJU
MD5:	04831749C36D46041448526570B521C9
SHA1:	24E19E4650343AF2DEB965C79C0AFCA6EAE9FD68
SHA-256:	CF25C689A5E769DE922852788D449DDAFB79C8D86CAD50419CFCB18D22D13D28
SHA-512:	EADF1BA3F60C8906003B4EE4B770097B40FD88DF3A794EDA75204B691A54298213014427C42E68DCEF0A2EAE3ADE030C896DBCB08C3F944BAF198F9747755491
Malicious:	false
Preview:	..................I.N.C.L.U.D.E.P.I.C.T.U.R.E. .".c.i.d.:.0.0.d.2.6.2.8.3.-.f.7.7.7.-.4.0.e.3.-.9.7.5.7.-.3.8.f.d.8.e.5.3.7.8.8.5.". .\.. .M.E.R.G.E.F.O.R.M.A.T.I.N.E.T... . .............................................................................................................................................................................................................................................................................................................................................................................................\|...~...........&...(........................................................................................................................................................................................................................................$.........[$.\$.a$......$..d............[$.\$.a$.....$..$.If....:V.......t.....6......4........4........a.........$.a$....$..$.If........!v..h.#v....:V.......t.....6......5.......4........4.

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1719997647748806000_CF2C1FCB-4279-4DD0-B59A-154CCFE1AE1D.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28746), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.1591172844770294
Encrypted:	false
SSDEEP:	1536:1FxgY3vPTy4Oa90NQJA8szfc5p1vMjnx/FwRrD6ywfBEq:b3HdOamrUCtwR
MD5:	B7D7D3B2F441B7366C1E643E5FE1C7B1
SHA1:	E1A1B14FC3DDAD59E38CE9162717484501124978
SHA-256:	CB0500FD6106389AF1C7673808A3085705427FF1C24B1F1026AF0A8D13276DBE
SHA-512:	C03938B45BD1071D2E5505D2673854E47E63E129C4640943B60862FE31A7D996733851DC8D345BFC39B9D219697BB6724769453D04294F6A063F7FCA663A65C4
Malicious:	false
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..07/03/2024 09:07:27.801.OUTLOOK (0x1374).0x1384.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-07-03T09:07:27.801Z","Contract":"Office.System.Activity","Activity.CV":"yx8sz3lC0E21mhVMz+GuHQ.4.9","Activity.Duration":13,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...07/03/2024 09:07:27.816.OUTLOOK (0x1374).0x1384.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-07-03T09:07:27.816Z","Contract":"Office.System.Activity","Activity.CV":"yx8sz3lC0E21mhVMz+GuHQ.4.10","Activity.Duration":10883,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1719997647749496500_CF2C1FCB-4279-4DD0-B59A-154CCFE1AE1D.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240703T0507270535-4980.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	4.4745802535823085
Encrypted:	false
SSDEEP:	768:sPyfx+nRwAZ8C9q1i6gN+6GiAnbKA/Ae6GpnXITFVUfWUIvhDEw6dA44PjrxAs7w:sCH4Igo99Ydl8XKAGe
MD5:	04EA3E5E532925A347BF41231C97DADF
SHA1:	747060D4B4D3470F89F3EB45E34785D4F2425EED
SHA-256:	64BF47EEFAD1973DE27B919DB38F5FA1A1A33DE85577FBC82D01F39ACE366EAF
SHA-512:	ED010D460D5D0E61B32CE1937C090D1751DD29B0565834DFDC8AECF16AE6C642D6256E5EF4A19AD14FDC6DBDAD66E6A5A8C6E154EF4DCD1789B428EDD260D95A
Malicious:	false
Preview:	............................................................................h.......t...9.3m(...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@..J...........9.3m(...........v.2._.O.U.T.L.O.O.K.:.1.3.7.4.:.e.c.d.6.3.a.c.e.6.a.f.4.4.7.b.b.9.7.6.d.2.5.2.e.4.c.1.d.4.b.3.2...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.7.0.3.T.0.5.0.7.2.7.0.5.3.5.-.4.9.8.0...e.t.l.......P.P.....t...9.3m(...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:UKlt:U+
MD5:	5075EDA9F0391DAF2C3090A57383F8AF
SHA1:	EFBA4582F6641AD969D77F8E9FF6C23BA08E7077
SHA-256:	E88D0992E4CDD69A78E07899AAB5D7FE8B0FE59B1B5FC54A3C12903951384B6B
SHA-512:	2758C103FCF96618E2E8D709BE15A29F679A4C9601CAA26994D4DEE997501B3373A11298CD8CCCD84B83666677D07B3268E9A31F8389B4DE0C66114A143546C1
Malicious:	false
Preview:	....#X........................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	3.3873104756030505
Encrypted:	false
SSDEEP:	1536:2T8zySJ4xJS292j02NvKhLyCHtFKp6OaK7lKyI/LwnZW53jEpEHP4qQ10PAwr5Kj:u8zkRKonI3uwnp9Cxvp9
MD5:	FD5A8E8887D6F8BBDA7846C7C5E9FD47
SHA1:	ED5F02C4BD8CC712657BEAF637DB861598FC591D
SHA-256:	E7A0B38C73DF6F912DAC9AB69F31B64F0DB6D7F747BF6AE38E93664724F8952A
SHA-512:	A89D7D41E01F3291B11702C83BC30FA097D8D5E4A1474D2E6D97870DC2E8AE17D2C5AFD22705B4D97648DDB4EA3F52D8C2ADDAF8D769B676C08C2B948ECACBB5
Malicious:	false
Preview:	!BDN@.f.SM......\....Q..................e................@...........@...@...................................@...........................................................................$.......D......@3.......................................................................................................................................................................................................................................................................................................................................8.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	4.286831082870679
Encrypted:	false
SSDEEP:	1536:AAwr1AgsbGgGp6OaaJ6LplKWt/W53jEpEHP4qQ10PAwrtbv:SZp9gL7p9
MD5:	61391116E2258386C10A7AEADABEF7FB
SHA1:	4171AC8DBE91F0B2192D1C901F2AAF00B98BC397
SHA-256:	59D38407E38A1BB853F48F456E2BEDA3A1D1ABEDE53B7F6C6D38D53051AD3811
SHA-512:	28D230353DB2E23F5AF6911C61DCC22EECE510918BD8596F49C99199DF07F80251A8163CA64CC9FD30A163A393BB3F501A9306BC03E98B86966E84C4210BB12A
Malicious:	false
Preview:	..Q'0...........t....7.m(........D............#.........................................................................?.............................................................................................................................................................................................................................................................................................................................................................................................................................................=U.D......mI. 0...........t....7.m(........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (347), with CRLF line terminators
Entropy (8bit):	6.115713457890696
TrID:
File name:	7253e39d-9e2a-897f-f7fc-1445151717e5.eml
File size:	46'501 bytes
MD5:	b6957addecd9d5eda3bc45d97e572460
SHA1:	fc9bc687012972d825545d7c81d16193bb257240
SHA256:	80f0d6d592417ef40aaa4fd93de082f2d7af240061d0326a51d256c33db0f051
SHA512:	dc651bc374f8208177f40981af005299dd417389eaf20944f4d192b1d7bfdbbf5cbf3eb19577343d171673e0381f01e6a5b82ac42fd19a3925df5118b12a9b9a
SSDEEP:	768:b6TyHlULRV2JwWSGylbQw88Sv22p2Kd/tYRETYmGlDdvTA46xOhe:b6TslULOSCw88Sv22p2Kd/tYYYxZUUhe
TLSH:	41237C3D9E801856753221FCBC22B849FB550D2FA6274160795FB0A72FAE0F7291B79C
File Content Preview:	ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;.. b=O3RVHLenXXGyB5wUgUXm9xVc17mflTbC+R6EvweaJlv1fdLsnDo1CdbQi3JrW3SLOLpR4xqkIkPnlem8kElY40OepeBRosN5We6mxzB67n9I0WwlZW1lFke6YsRclwLXul93Xncw1H8w7OyDwRmHW5XbkwGYz9Jspg0kTTan+Ff1Dlokd

Static Mail

General

Subject:	Geral Comando \| Bombeiros Mistos Amora shared "Urgent Request" with you
From:	Geral Comando \| Bombeiros Mistos Amora <geral.comando@bombeirosamora.pt>
To:	"lavaredas.serrano@marinha.pt" <lavaredas.serrano@marinha.pt>
Cc:
BCC:
Date:	Tue, 02 Jul 2024 07:10:34 +0000
Communications:	[Share image] Geral Comando \| Bombeiros Mistos Amora shared a file with you Here's the document that Geral Comando \| Bombeiros Mistos Amora shared with you. <https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZGkv1O_1FowosB2CSGfrKDmTZiEPPt31Ds7g?e=5%3aGFx4a1&at=9> [icon] Urgent Request [permission globe icon] This link only works for the direct recipients of this message. Open <https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZGkv1O_1FowosB2CSGfrKDmTZiEPPt31Ds7g?e=5%3aGFx4a1&at=9> [Microsoft logo] Privacy Statement <https://aka.ms/privacy>
Attachments:	AttachedImage AttachedImage AttachedImage AttachedImage

Headers

Key	Value
ARC-Seal	i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EU651NTof+9yonOXamLe1z71+e3Sag9GnCHgAXPSTg9d/pVJ2YLO52BGEhDeECRUqO1UZwIZY8mYngpKsEO94fitOHFBDUEoEgKrHb/cJKyfkrYYnXmoI3xB15T6rT+MXg0dyBl6K9q8//D6H7tfM0qPv1N7fsOV8zqLlv0Pur0qRCJSW8mHIvA5E2OdQEClFQqYgRPfdzfnJSNs39Q+e9Yemmx+i7jSAnlJdjUXV4tc1pIUnMaDQSdtCfECyEi063brsnR+Wz1i62fKvZqa9nTTub2SXyQy2SVQFG7ZX3rYWkMEyuCMsCOYoJtrSK7qdizFAj8ijpfsyK7qCQNSVg==
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xROvW8afY4pZPrX+GssLD3UIRtAE270/phWfPDsgOIc=; b=iRWq8k7q0C7+po0gqZsm+ZAKPlIiVL9/Do+0cgBuLjn7YjMT9b0I8XkNrpwI3E3O40/TjmS20szFT1SD9MkvTO3x87WcZxOJwJ3sQ6lC1vqEew7yja4clUJ+OSlR4eLXe7nZOEDtHUAVrVgLzEAV0czaTpDx0JZtEvN5+umpquAkkPaW0DefzZdLX1sLw878V9mg30bFW3gc8lDSQQ+fk6b9PqTR9DdUwX/ZsPsqvG96YIlawr/p5EB9ReyI4dmlL+bAxn4JZsk9xmOJdIVI5T9I2LL2mkuHNBcH37aRTHSPY8n3hgLlJDffn3VbF9p9xDVAYzVGgVOuQxN+hyCcfQ==
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bombeirosamora.pt; dmarc=pass action=none header.from=bombeirosamora.pt; dkim=pass header.d=bombeirosamora.pt; arc=none
Received	from PR3P195MB1085.EURP195.PROD.OUTLOOK.COM ([fe80::4111:d017:f4ab:4297]) by PR3P195MB1085.EURP195.PROD.OUTLOOK.COM ([fe80::4111:d017:f4ab:4297%6]) with mapi id 15.20.7719.029; Tue, 2 Jul 2024 07:11:41 +0000
Authentication-Results	spf=pass (sender IP is 40.107.22.117) smtp.mailfrom=bombeirosamora.pt; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=bombeirosamora.pt;compauth=pass reason=100
Received-SPF	Pass (protection.outlook.com: domain of bombeirosamora.pt designates 40.107.22.117 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.22.117; helo=EUR05-AM6-obe.outbound.protection.outlook.com; pr=C
From	Geral Comando \| Bombeiros Mistos Amora <geral.comando@bombeirosamora.pt>
To	"lavaredas.serrano@marinha.pt" <lavaredas.serrano@marinha.pt>
Subject	Geral Comando \| Bombeiros Mistos Amora shared "Urgent Request" with you
Thread-Topic	Geral Comando \| Bombeiros Mistos Amora shared "Urgent Request" with you
Thread-Index	AQHazE7u5yN1FFr41kW9rH4JcrY3Ew==
Date	Tue, 02 Jul 2024 07:10:34 +0000
Message-ID	<Share-de4638a1-7058-9000-5d67-554c089590d3-f6faae8d-7d1c-401d-a8d8-8d6de4417e98-a361fce8-71ca-46a3-a768-4356f851f07d-DispatchToRecipients-PreprocessPayload-r0-SendEmail@odspnotify>
Accept-Language	pt-PT, en-US
Content-Language	en-US
X-MS-Has-Attach	yes
X-MS-TNEF-Correlator
Authentication-Results-Original	dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=bombeirosamora.pt;
x-ms-traffictypediagnostic	PR3P195MB1085:EE_\|PAXP195MB1581:EE_\|AM4PEPF00027A68:EE_\|PAXPR05MB8351:EE_
X-MS-Office365-Filtering-Correlation-Id	ab097e8b-632e-44b2-69a3-08dc9a663aa3
x-ms-exchange-senderadcheck	1
x-ms-exchange-antispam-relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230040\|376014\|1800799024\|69100299015\|366016\|38070700018;
X-Microsoft-Antispam-Message-Info-Original	Z18o40/usMnlZTwToA5DvTp4Mg/yyMxY/GlxTZ15mlF0enUDdh+Ckt86s8PXeujaBtPwl+tw7oYLIJTrzJivjBo0xGVhOdbnuKnNnORdqZvQkjhv5aOccR2tojK8p2mSvCA4GDr3Wy12BKa5O8Bu/ttwNJT8eUVlboLi/DI3cBMNQTw5Blb5bM+axN/HlvY44jF1LlRaCOWNprLpQkV0g0PWCxhhJrEK8hAilNvNybCQjZxItXlf1tAvvwhEgViZfAVXKqUhrws3WXNaIs4F9OXhBdWiRldL8OQghq7GnKfhZhIGKdx8JwIlLNRImWLFKvR38DwCmDNAy6Oa71pzhWcMgB/91YcklnHT4A44JD7XIbT2WBHO2947pWpjiSMCCWy1KNcAhqsAfeXhF7cPcXsue3Flirie3sW5wGp5fPygOt2tzroAx3NNxTDcx0S2wlGoI4Dpw+90FfshWrDSPv8HJsV0OayrtqGhuaV2d7uWqsSd4XO0tcJEDlFig+f+HnjMbDIR0nF5je6XxPj3+vrMFD5W27ADeTIfYrY8//sDePior55ySVTF75ZCTg6dnN1OX6YSXP74f1LVpOMYhWhn7DPuArQYuVLpe4HVEU74iWlNUsI4jOpXmu1iPoVEIYyHZCQV4l6V/Bh4SYDpQLXomWWtNEPY36ZXuaQ3sq3ZdPck6NtATO7h+QC/ymmj0IrfOFdcFQm3filuh1gD8Um4O1iESI6/kxFcszCPRiGIzchhnfwYDr2CoR8PiDPYo2LjDkWX6CwLe0YZwvxAF+XbToqQUlao9cxRbnXf7jNmETkPFaAs8Oq419H3gOKrIyas0QETY2opIqFawXRYlosbPPgFw2rr3I4qx1B9RFlEl0+HJ4B0pQM8izivzY57kcUDSqILe6sSj1SRnl1vSRFsNPm5vRPSxBs+X7laUmqSedR7ky70F6xJlKElf66D9gJ8v+SlfCX5k3GDVqQyd1tz5f3U5UNab/y7L0sRvaT0wiylMY3YI3cDZ5dk+dSbTd6q+PPS9wc8ZrXVEgEOf8IHgSeM2DVHUygZRgWtWT1eHx9Eksba6KaX3EJPYhFKT3hWSQKDr7UvHmP5cXafjUERMfoHWLrzI8ILFc3tj+mpIaChbgR2VsQO6m9QMOSF3Sj/ev8u8Hs+2m6bxlwxmliaumJUtRGxd19UheNZV3lc/zGj9skx7wvwvA3OPJ0Fiimc83HPDye+rZeh61dEPaeLkaqGehabyioEZNaE9PPcYR5IGgh0YeLqKBsjhSNcIOySf1PXIPgTdechwZ32dHQZldRkmtAW+CTmp++n0yG4HC1jHWo3W8lb4QkT9eG4qw+Nt5+CBoFDeu2ZPj26aKGdOj1JME62MW+KSiCebr8=
X-Forefront-Antispam-Report-Untrusted	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PR3P195MB1085.EURP195.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(69100299015)(366016)(38070700018);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount	1
X-MS-Exchange-AntiSpam-MessageData-Original-0	FsmEGRME2Z8dtj6zGzCzG9L//i/y793Cg9RlXrH1lLqbEHGXqmKe6DS5rF/H7LLwS5zjLvQKRmjQ/fk5PsG2Caflahh+yy66ZLHEA1TvRXVXq7Oy1SFuV7Cl0m3FWbgiHq8g1/3fD1qIWTBbJnaYc/5SWrIrmJmynLiwGzD3oqIMJgp4HMUnZMmSCrxFWlUp9lemPgRQ/wxcLyriLInCKFb1EEYXF0Srjyp0JI4u3ar57VTjUZp4UnI0ShjIjIOg7py7ZUGJGhJyZNAkG57RvkVSfYnJq50i8e0o4ssHpm/MCN8krZm7U8aTUoVPGU5VnJM7SnJP4XpvrsGlEdQQJt+r066caHjH+j6nmudE2HQSTvr4VBzebqOyn7eUxD/7HrzVTIyGjfCvEvvjeighqJ9JByzuoHj7JW6Na+m8cQsw+91UwgH00sSAbz198smY9N7/C655XPEXvOeFtKcj/x83JPcTmionT8EPqSlfYc7kpY2Hf3Un1HwjSLaOgtmXWkl7xWVs44x/KML3FTktOMNRzFM510BkBcreIVyIQOy2cO4l7JrDdWqXoNLif0cIIKYhb+t8r9qBtvg0x577ko/2spt2Mwrl4h38Qo06rNahJYYVqgZjc5qWHLE/zqneJWl8mLB4dmByyExmGYowAac/xMdhbDiqYFY9OsvRQSMmMvkMyAPg1T/nKDoDaiDRbUfdTzVbJwfVX/RapHRprXTWn2DOLgfQD00KCfZ7MUo6xOXAKK34TZP+scLB4OXE2P2emksiX+inRgwkasJZMfNvN8fK0qHG/UclRwB1jBf1aKU4OX73OWacj4m6Vil/5HzLveGG+91ZYE6LbfJym0j9UArW4lRS9OnFGypNwQm7Q3K3d/mcbM4g+YAMJop2gendG75rU5BVzo3gEj6ObXJnOTWpzGkB7MRFNM0aV2lB/6Wi2brezRxMTcAzUPV8n2RNIt+X9PvNXTs5CxKNiNgU0zDF6ignH3pxdF6FxVylR2kXpa9qTMTPcB1r3Bef+T42XqW8LJ8Wjo/O5GamAwynSr7t+z9xlGemAX1TrMo1Ft75v0WQj8nZijwuIp/bbl7NY8EsQdAqHkVHpUakgKX48CqAlsszO2TajThb9dugDdutbrvJWQMZ2L1gyZ4+zzIR3qdCQNJad2NT76R3KksGasSm7z+PMMjM2Y47m2QPVpc/7dwb+HRElUMvVe+/ZIkOI+0jaiv0RpemwCQcbFp6OzCtRHZY8rCF4wBeHXkrL7WcZWi5/fmLUyfHHf8WLRsi9IY9V/IgBYUm5k8Bf7RtrzrExFflDBAFyhstRfZWmt9CESI+xjBjFnGfwFqAzHWX9MmYAtgSIwrWER7TqtJj07/pQfkmeUWKhk0kY7MbTXZa9LoBmduJsZ5rFZo2Us47ss39L80SMGxE6NA2WaP9VwUeYn/tGmqAmIoEXHTus+fXYebwhG+JknIPxLfpwP7OGHntfncwLli7WEXXH2L4SAcmnX81ZrQkUWsOyuusamKnezd4ExEHZUwHqj07QXCS2+8+Avw9X7AN6Q+GirH/uRQ+ye/7uMqxmkhBdLfZKByANYsIJAWVQEeHqoRzfDCQ70w9ZdxEAEgnF8nf+g==
Content-Type	multipart/related; boundary="_007_Sharede4638a1705890005d67554c089590d3f6faae8d7d1c401da8_"; type="multipart/alternative"
MIME-Version	1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped	PAXP195MB1581
Return-Path	geral.comando@bombeirosamora.pt
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	ab1c4186-bfe7-4663-97fa-53f0e33bc8c2:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped	AM4PEPF00027A68.eurprd04.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted	AM4PEPF00027A68.eurprd04.prod.outlook.com
X-MS-PublicTrafficType	Email
X-MS-Office365-Filtering-Correlation-Id-Prvs	3d4bff83-8afe-47e7-9cc7-08dc9a6638d3
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-Forefront-Antispam-Report	CIP:40.107.22.117;CTRY:NL;LANG:en;SCL:8;SRV:;IPV:NLI;SFV:SPM;H:EUR05-AM6-obe.outbound.protection.outlook.com;PTR:mail-am6eur05on2117.outbound.protection.outlook.com;CAT:HPHISH;SFTY:9.25;SFS:(13230040)(22003199012)(4073199012)(69100299015)(35042699022)(5063199012)(5073199012);DIR:INB;
X-Microsoft-Antispam	BCL:0;ARA:13230040\|22003199012\|4073199012\|69100299015\|35042699022\|5063199012\|5073199012;
X-Microsoft-Antispam-Message-Info	hxx3lpUsnkz5ptszRLFxZLRZ/ab7DQAE3Puhl5j/4WBQogoKOzv38aSDj3ivqgcWxL6L4uVhyOjWrBwORNhXEj4dRmxuwafOSpma1zhfOieslemAKQuh33BDc68IV/3CjQz02TZbwUBSbdR/92K9F1f/YpVYee7R6zbex1NxX4MsCo5LnOJD/i6HJl1e4JlF6Dg1K0l4sPFfsH4tXTH28jNjlt0EKn5q0CekJnUkJMT4AggGPh2xnDFv+RLUs0R9QMvYj9yK6pHeFTftqe9cTOj6GSarbi568ctmH+k/uc9hrMutyvo/qoIuYOuvzywUlORx9jpbC1nHggOqYPu+8UO1JQwGX2CSe+VEeAeSShF/6dlkdml64FCLmGmXsgdOkD2xbjMshzMsn1iEkpGJhY40uHIqeBcUEPwVEBdbANGR2wSy9QxiT9IyQtTNIP/EZpuvSfrapY+9dAxV8sTlh1IbtEtR0/IzXCsbkEazGdmzZj50SNaQkUFDbhKXWkJHbuRWUjK05giDRtvC0zA5l+4ZYa2pR8DYCPHoJWF6KsPjRyhrt6YzCkrrUhIsfb2tISCujhueW94gy/uLwVi06grPiT42QD2/mBpnzPRgRZ/wlaVFG3csYvdenPXfCOvo11eBpCk7x3wNFsQIcEkXG6gMR+tFRtUz4SNgrzsX0hXmhU8c9e+3uJzzjCzTVmqiYyx81DGF3esDd9BRMmIeKYIUb/MsuG2Fjc81ZXjyJSoFII1nx7TD64WckimZSqFG0uXYseBCUPK9/VCWlPRBq1aFR1GG//vpv3L0LfwMLH7ncH1ALVAXEIbQgMpOpFguqm0WPM8FBgFCrtZKOzByDqR8It8YtcV1MnGzoZstErSMr28ArdI9Ejr3KJ/Nqz5QUbMzRW8lCTAnNG0e2eU5f+/0U7h03CkSmsaFHBYZYSf5IBT4R7YwUkyy4+0dKz2y8BZE2FAcEzlSuS+p6Nu2V8RcaWskRV/OzkjYWzdL05bWRHw10OaCWwEkATN09awNwS2LWKysdsNa02V9HeH9Vk3q1oyWuPc4H9DoiwsHSOz6t3g7TMqOvnY4EwukhWQ5rEikAT6lWYec2aVb0nJvG6NoYH89RgkfUWIp2CqydGPHmFT0KKiZ/fUdITDUtYQXq7pftqxu7kmSGqVKHAJpkQn1zTZi5h0osODfrvZx4J+ocRQI1D3sPyrUDQXoqhjfyF5+BwHGdgLNucy9quIn+SfncG9i4vgBK5STlHIO6Ewrnsksjk9ApuSowATlIclNMU8lYmHE1/1/Sbz1COoZhr5roylZiXlfOqdJUrkhrs4v/WpmK3G+69VCpghC7gfBH7Ry8TKglyge68sBrXcvqtvatxsYpPok3AnabhjMDD8bWR+42atN3YFk6rJmwT8Sc1MKGmAy3xodjD8GY3vZCFFkImsjdZFglOa0y6QsqK021YQsXlM8Ug/ZEY3uOUe63hhPDhNlnPbf6EEa8INcugnLfQBp+oh8xEBUfii4qvHtTEDzpJEwSS5a8oQVrGPugrULDZSgkiItpEqjn200f6spJ+SFukRww0tZlHSFE31IPCTzNJUkIQFdVra/diQLDBQTExmveiT2Mo4e0JFZTcyFWnxwpud0SFy1Jd80UD9gm/m3HYN3K6XqWH9dZmWhTwG5DDRWRxF67IEKFghkldm5kps4I3qCnsBdxB21wpKuM5v/+wGgY4dxdHn47CjivDRHSIINhuHi2V1e+Q7Lmhob8tpKgmLhopRNHlkO2+DWbEQ03tjaHt70MEdpjpfFcBD2t1cny6AGgh6Xtmk9yZwuUq1mhVkG/oAF6D+IzUqQjDw6/xVnlywt6xvJGAn1m7z4O48lt0fIW1el+GNfjmOKEQW/xtivP3EEe23mbbmpdazpJcoKT0npjndsgyNlJEglT0ICHvgxiyLauNAXZWH1hj+vutzZKLDMd9uFjzNDvRg2/D4cr9dQ77yISIBmackN8jyhHIrVpqyJAS/B+07FzV3ZGkjguKAJjXT4rtxcb2ekpk7c5BvAnQd7XeCLSPSKJuc1rA4NxjEcRto1pKrSECASVuwPbtbx5VqnWQ1hWh9IvOsm+42ZLkSa1bMew99pCmJh9nYElYumKKC6647n5WVt84CcmuyvM0M8oOnUiqOf9w6F8tMJuy3nZXxI/tLMgaHBKqXnmlthyZ7jkfsA0KhZStgqTQrc26TfY7JOaRM3oaEVSOKiBSvnUDxfBdE50JKZJP3p3sj353B89UpB6cEElYHmRD0GTivtQXVOIG0vEEq34/NAmKKHDIVzyx2tUUP4zVvqZpBx7A8ZPOAE9FGJlHwm6IhzzDMj0jbFsfBEQ4hJewi88Eyps2z247NNrZSyz1wzZ1n3qPxS0DuET8XKXSFEgQX60d987wHNDbVGAePx5c4R95UfRAuJM2DHWWPdiZuWlFeH37ugut5G4bUJF5KwG/YXqfnfRzL+HQMhP6j3nq0p8yeSGYEyu+MXg0TkjAB9t7icNZ8c3w==

File Icon


Icon Hash:	46070c0a8e0c67d6

Target ID:	0
Start time:	05:07:27
Start date:	03/07/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\7253e39d-9e2a-897f-f7fc-1445151717e5.eml"
Imagebase:	0xbd0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:07:29
Start date:	03/07/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D73A3FCD-DDD5-4483-A749-CEC5746836E0" "1C95EE42-F715-4654-9F8D-35166513BDFC" "4980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff7addb0000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7253e39d-9e2a-897f-f7fc-1445151717e5.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4994AC07-5E3C-4F37-A7E3-FE04F1DBCF44

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\31F17C90.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\50C6020B.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EAF4B351.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EDD301B2.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F07E678E-3987-4E93-A1D0-AD736AE1D1DC}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1719997647748806000_CF2C1FCB-4279-4DD0-B59A-154CCFE1AE1D.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1719997647749496500_CF2C1FCB-4279-4DD0-B59A-154CCFE1AE1D.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240703T0507270535-4980.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
7253e39d-9e2a-897f-f7fc-1445151717e5.eml