Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EmbeddedAttachment1 (81).eml

Overview

General Information

Sample name:EmbeddedAttachment1 (81).eml
Analysis ID:1467941
MD5:a9bf6123b7ef1cfb474bec002629c239
SHA1:b80acc681b9faeea04551bac40be5d99218b9079
SHA256:5e11e4dcbfdc68861b31edc621d3340d1bb1638701db8b8ba32d0b87a876a57c
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 8000 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\EmbeddedAttachment1 (81).eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 8164 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "78F32E48-85E2-48F7-AD9E-A7623495191D" "D9DD06AB-9C1F-4E50-BE59-6FBD065C58E4" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 8000, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.aadrm.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.aadrm.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.cortana.ai
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.office.net
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.onedrive.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://api.scheduler.
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://app.powerbi.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://augloop.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://cdn.entity.
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://clients.config.office.net
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://clients.config.office.net/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://config.edge.skype.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://cortana.ai
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://cortana.ai/api
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://cr.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://d.docs.live.net
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://dev.cortana.ai
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://devnull.onenote.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://directory.services.
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ecs.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://graph.windows.net
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://graph.windows.net/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://invites.office.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://lifecycle.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://login.windows.local
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://make.powerautomate.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://management.azure.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://management.azure.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://messaging.office.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ncus.contentsync.
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://officeapps.live.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://onedrive.live.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://outlook.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://outlook.office.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://outlook.office365.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://outlook.office365.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://powerlift-user.acompli.net
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://res.cdn.office.net
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://service.powerapps.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://settings.outlook.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://staging.cortana.ai
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://substrate.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://tasks.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: ~WRS{B75D07EF-C3D6-4D3F-B1FB-04529ED4BCFF}.tmp.0.drString found in binary or memory: https://tobu.ai
Source: ~WRS{B75D07EF-C3D6-4D3F-B1FB-04529ED4BCFF}.tmp.0.drString found in binary or memory: https://tobu.sgp1.digitaloceanspaces.com/email_images/email_image_attachments/1854/original/KNKwkkaa
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: ~WRS{B75D07EF-C3D6-4D3F-B1FB-04529ED4BCFF}.tmp.0.drString found in binary or memory: https://url.au.m.mimecastprotect.com/s/O76rCXLKZ1T235QAt60OU5?domain=tobu.ai
Source: ~WRS{B75D07EF-C3D6-4D3F-B1FB-04529ED4BCFF}.tmp.0.drString found in binary or memory: https://url.au.m.mimecastprotect.com/s/_m-9C1WZX2H3Kz4gtXuuDj?domain=tobu.ai
Source: ~WRS{B75D07EF-C3D6-4D3F-B1FB-04529ED4BCFF}.tmp.0.drString found in binary or memory: https://url.au.m.mimecastprotect.com/s/bhsmC2xZY3h1AlYri9UGuz?domain=linkedin.com
Source: ~WRS{B75D07EF-C3D6-4D3F-B1FB-04529ED4BCFF}.tmp.0.drString found in binary or memory: https://url.au.m.mimecastprotect.com/s/uHQUC3Q8Z4uqVAk3ivu1l0?domain=feedback.tobu.cloud
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://wus2.contentsync.
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 951256EC-EB5F-401A-AAC4-D5193C391D28.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/13@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240704T2355590214-8000.etlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\EmbeddedAttachment1 (81).eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "78F32E48-85E2-48F7-AD9E-A7623495191D" "D9DD06AB-9C1F-4E50-BE59-6FBD065C58E4" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "78F32E48-85E2-48F7-AD9E-A7623495191D" "D9DD06AB-9C1F-4E50-BE59-6FBD065C58E4" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1467941 Sample: EmbeddedAttachment1 (81).eml Startdate: 05/07/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 49 120 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://api.microsoftstream.com/api/0%URL Reputationsafe
https://api.microsoftstream.com/api/0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://tobu.ai0%Avira URL Cloudsafe
https://otelrules.svc.static.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-user.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://outlook.office.com/autosuggest/api/v1/init?cvid=0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%Avira URL Cloudsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://url.au.m.mimecastprotect.com/s/O76rCXLKZ1T235QAt60OU5?domain=tobu.ai0%Avira URL Cloudsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://tobu.ai~WRS{B75D07EF-C3D6-4D3F-B1FB-04529ED4BCFF}.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown
https://api.diagnosticssdf.office.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:1443951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectors951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://cdn.entity.951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/query951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.net951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v1951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://cortana.ai951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/imports951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://cloudfiles.onenote.com/upload.aspx951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://cr.office.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • Avira URL Cloud: safe
unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://otelrules.svc.static.microsoft951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://portal.office.com/account/?ref=ClientMeControl951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://edge.skype.com/registrar/prod951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://graph.ppe.windows.net951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://res.getmicrosoftkey.com/api/redemptionevents951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift-user.acompli.net951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://tasks.office.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://officeci.azurewebsites.net/api/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://api.scheduler.951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://my.microsoftpersonalcontent.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • Avira URL Cloud: safe
unknown
https://store.office.cn/addinstemplate951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://edge.skype.com/rps951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://globaldisco.crm.dynamics.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://messaging.engagement.office.com/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://dev0-api.acompli.net/autodetect951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://www.odwebp.svc.ms951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://api.diagnosticssdf.office.com/v2/feedback951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/groups951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://web.microsoftstream.com/video/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.store.officeppe.com/addinstemplate951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://graph.windows.net951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.o365filtering.com/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://officesetup.getmicrosoftkey.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://analysis.windows.net/powerbi/api951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://url.au.m.mimecastprotect.com/s/O76rCXLKZ1T235QAt60OU5?domain=tobu.ai~WRS{B75D07EF-C3D6-4D3F-B1FB-04529ED4BCFF}.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown
https://prod-global-autodetect.acompli.net/autodetect951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://substrate.office.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://url.au.m.mimecastprotect.com/s/_m-9C1WZX2H3Kz4gtXuuDj?domain=tobu.ai~WRS{B75D07EF-C3D6-4D3F-B1FB-04529ED4BCFF}.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown
https://outlook.office365.com/autodiscover/autodiscover.json951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://consent.config.office.com/consentcheckin/v1.0/consents951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://d.docs.live.net951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • Avira URL Cloud: safe
unknown
https://safelinks.protection.outlook.com/api/GetPolicy951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://ncus.contentsync.951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • Avira URL Cloud: safe
unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
http://weather.service.msn.com/data.aspx951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://apis.live.net/v5.0/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://officepyservice.office.net/service.functionality951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://templatesmetadata.office.net/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://messaging.lifecycle.office.com/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://pushchannel.1drv.ms951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://management.azure.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://wus2.contentsync.951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://incidents.diagnostics.office.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/ios951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://make.powerautomate.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/api/addins/search951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/odc/insertmedia951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/api/v1.0/me/Activities951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://api.office.net951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://incidents.diagnosticssdf.office.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://asgsmsproxyapi.azurewebsites.net/951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/android/policies951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnostics.office.com951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json951256EC-EB5F-401A-AAC4-D5193C391D28.0.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467941
Start date and time:2024-07-05 05:54:54 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 18s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:EmbeddedAttachment1 (81).eml
Detection:CLEAN
Classification:clean1.winEML@3/13@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .eml

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 51.116.246.106
  • Excluded domains from analysis (whitelisted): ecs.office.com, onedscolprdgwc06.germanywestcentral.cloudapp.azure.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, dns.msftncsi.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, neu-azsc-config.officeapps.live.com, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

LLM Input / Output

InputOutput
URL: e-Mail Model: gpt-4o
```json{  "riskscore": 7,  "brand_impersonated": "Tobu.ai",  "reasons": "The email appears to impersonate the brand 'Tobu.ai' by repeatedly mentioning it and using its URL. The subject line and body do not exhibit typical phishing characteristics such as urgency or rewards, but the presence of multiple links to the same domain without additional context can be suspicious. The email header is not visible, so spoofing signs cannot be evaluated. The caution message at the top indicates that the email is external and potentially suspicious. The URLs provided should be verified for legitimacy, but the overall structure and content raise concerns about phishing."}

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.381131792793949
Encrypted:false
SSDEEP:1536:UlYLltgsJTKsQttECgs66NcAz79ysQqt2DcFfqoQDarcm0Fv9ztyyTh0DYznH3ea:jngKq/g6miGu2mqoQGrt0Fv+MN72Xddk
MD5:B1740B8AB6FB566FB6B2CBE7B79B637E
SHA1:127B004BDB638F628400CA972892768EB0D94DC5
SHA-256:E50F23571C60FFA54D4AC58A546460F4E51D7E85CCA2640886B8FC5D9AD2B9D8
SHA-512:2BF5C19B70038C3C116B989B16522DD08282ED09A880B176BC3F9B2F266C242B11B3F1A004D6BB91BF70359F067CE8FF93E84CD7AFE0D13A539D96A860FC7095
Malicious:false
Reputation:low
Preview:TH02...... .0!.5........SM01X...,...P..5............IPM.Activity...........h...............h............H..h$.O.....w.....h............H..h\FRO ...1\Ap...h(o..0.....O....hw.)............h........_`Hk...h..).@...I.tw...h....H...8.Mk...0....T...............d.........2h...............k..............!h.............. h..`.......O...#h....8.........$h........8....."h..i......i...'h..f...........1hw.).<.........0h....4....Mk../h....h.....MkH..h....p...$.O...-h ........O...+h..)......O................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\951256EC-EB5F-401A-AAC4-D5193C391D28

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):174490
Entropy (8bit):5.289618200916475
Encrypted:false
SSDEEP:1536:Ri2JfRAqcbH41gwEOLe7HWaM/o//MRcAZl1p5ihs7EXXmEAD2OdaB:ece7HWaM/o/7XDk2
MD5:EB27BA24AFC1A589ED7151E95379AC9E
SHA1:BCD3BE3ADB28FFBBDF652BA0313F03F4FBB661DC
SHA-256:45A825582DC86FA8FE2CAA55D20B54BFE95E853E4ADEFB0821AD226F74A395D7
SHA-512:41BA045AAE1408D94C6ACFF0F6F76431864221AD281FA36C988FC97E23D37BE237D5B767827164DE99C7B05F9A04499184610799A2A8DA510A88057161C06F01
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-07-05T03:56:01">.. Build: 16.0.17812.40128-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.045788677213747804
Encrypted:false
SSDEEP:3:Gtlxtjl+YgdEDZJ1W1lxtjl+YgdEDZJ11l1R9//8l1lvlll1lllwlvlllglbelDX:GtePqZ7W1ePqZ7H9X01PH4l942wU
MD5:677D5D779FF7DDC43CEE8D1A11737523
SHA1:33A363B813EA35E81B1D20E9145E07C60A6A2452
SHA-256:F938EAD34B2E8CEC9BBD841EB6007E5C2602F4C571EF6CD9C4ABBB163DBCCF49
SHA-512:0074F84987885D90213984F065CE37B188DEAD61FB9C52C6FBA707FC89E0368D5A70DF836BA2E04B71487D9733E7B7626BF3FC5483BE55971E865F855FC02663
Malicious:false
Reputation:low
Preview:..-.....................B.\...[.E8..:@d..&.......-.....................B.\...[.E8..:@d..&.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Write-Ahead Log, version 3007000
Category:modified
Size (bytes):49472
Entropy (8bit):0.48232682628325607
Encrypted:false
SSDEEP:48:6UMKUmQ1RUU2UbUll7DYMRUIPUmzO8VFDYMRU5UgUBO8VFDYML:Cwll4sXjVGujVGC
MD5:67EB0CF66271E027628A75C86783FE30
SHA1:282A171A1428529196B18C70BFD15C5E3C591146
SHA-256:D93A0070D51D90910B668A86377D21EC5F433C6EF1C23F9202C2C5E142922DF5
SHA-512:94BCA730501D816E57282C08367B0985D64377BEBB0F3D07D65563B8DC32A7D2FC055953698FF584B274B1E478F99ECCD3719D226F1F268EE37449B4CAFBA987
Malicious:false
Reputation:low
Preview:7....-...........E8..:@d..H..G[..........E8..:@dib.oz...SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{A8B8F677-BCE9-46FE-9A18-ADBC66EBACAF}.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):2048
Entropy (8bit):2.4196827199008886
Encrypted:false
SSDEEP:12:igkXQwYIObbmjO00h0N0m0408C0c06vW0dJHIY+Ljz0slebh8:Zm0h0N0m0408C0c06vW0dJoYM/0V18
MD5:410DD78C946B06D58DE38ED2DD66A13A
SHA1:D51DA2111E57337AA440C1EC943B46F9D5FD42FF
SHA-256:92E7EFAD7B998A73A9794D27826DD17564BA8307A7F8E8970233F66858110BB1
SHA-512:BBDF8C4814C6798DFE049C0F751B372BD0E971F4BECEC8E02519D92D1DD8862B6E6589DCE5CB7E21AAE8ECEC9CEC81E3017E4AD271B8A65B0D8F7E5450BAF54B
Malicious:false
Reputation:low
Preview:....1.2.....1.....1.2.....1.2.....1.2.....1.2.....1.2.....1.2.....1.2.....1.2.....1.....1.....1.2.....1.2.....1.2.....1.2.....(.....(.....(.....(.....(...f.r.o.n.t.d.e.s.k...f..................................................................................................................................................................................................................................................................................................................................................................................... ..."...(...*...0...2...8...:...@...B...H...J...P...R...V...X...\...^...d...f...l...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B75D07EF-C3D6-4D3F-B1FB-04529ED4BCFF}.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):10476
Entropy (8bit):3.822676846878037
Encrypted:false
SSDEEP:96:S8W8kde1rrthurAq1fBdHerqHqAC/z5IZRW58jZQyqXsw9qY8SjdIU6OxBBBgxVo:S8W8kErrth1EqO58XsPU6OxBBBgDKPa
MD5:CBB96A9D424BC421EAA84ADA831EC403
SHA1:24B6BAAF116515888537CD25EBAE71A015975CA8
SHA-256:252C7BDAA361CCB55BDA9581BB550837A4E9F0757A527547FEBAA419E4B73D59
SHA-512:0E14699D62EEBB860C49C62D5F10A899F5CEFF6C54495181CC433DF058F27F61BF77267F104D8D7582043C5C07C20E4798F5BFEFC04FC736035C7E7D9F8A19C0
Malicious:false
Reputation:low
Preview:......C.a.u.t.i.o.n.:. .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................V...X...^...............................l.........................................................................................................................................................................................................................................................................................&..F....d...d.[$.\$.....&..F....d...d.[$.\$....-D..M...................-D..M............*...$..$.If........!v..h.#v....:V.......t.....6......5.......4

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1720151759474705200_62A88F4A-56B7-4EE5-B32D-0C555A5419CD.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (28748), with CRLF line terminators
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.15872484712645432
Encrypted:false
SSDEEP:1536:MyGryvvuTEGNbFARLFNBUECjjkn5Isj08+biJAAtTBT:zvmpNbW/+v
MD5:AD569E76D0FF6D3329F68E726C6E6C09
SHA1:3A621676CAA603AE6E4BB440EC56A57ABA1FD7E0
SHA-256:FF2386D3196CF18ADC610539942905A5FA14AE1CE32C269C47222D93DF640F15
SHA-512:4CB7B6AAA61B4F7F9678F6D3E19055E855275A2B5393D89A4FA5FF4217B5BF2E3E1501E11E86A8CC41EE021789DF2E05C0EF65493A540EA64BA3214AB58AF541
Malicious:false
Reputation:low
Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..07/05/2024 03:55:59.542.OUTLOOK (0x1F40).0x1F44.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-07-05T03:55:59.542Z","Contract":"Office.System.Activity","Activity.CV":"So+oYrdW5U6zLQxVWlQZzQ.4.9","Activity.Duration":14,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...07/05/2024 03:55:59.558.OUTLOOK (0x1F40).0x1F44.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-07-05T03:55:59.558Z","Contract":"Office.System.Activity","Activity.CV":"So+oYrdW5U6zLQxVWlQZzQ.4.10","Activity.Duration":19194,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1720151759476237700_62A88F4A-56B7-4EE5-B32D-0C555A5419CD.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:false
Reputation:high, very likely benign file
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240704T2355590214-8000.etl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):106496
Entropy (8bit):4.4806355676001
Encrypted:false
SSDEEP:768:KL08vw1Di6YtpP3xep4sD9ura2CRhKrHuBXKBofnWqWUWtWPx6k:SvlBM4sD9urmr+gXwkZ
MD5:A486F4B85F493A728751D9A8E3E3EFFD
SHA1:F76F6486D969D30B19A3D3334002EE34FE73E719
SHA-256:4AC49F1BD8115FADBCB47FFC4437A369E8983A5F47D3B687731D31520D0A1DAA
SHA-512:1F50D5A3D8D96A944DFB3E850202FA0691BF2D7DEB52E1C8957E755DDA2998F71BD43DA869EDF54191737588D45AD9D36901761108AE54D00CE61ACAC2488672
Malicious:false
Reputation:low
Preview:............................................................................h...D...@...s..>....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0q..Q...........s..>............v.2._.O.U.T.L.O.O.K.:.1.f.4.0.:.a.1.8.9.e.a.2.2.6.f.9.c.4.5.9.4.a.5.8.e.7.f.1.4.0.b.e.8.1.f.1.8...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.7.0.4.T.2.3.5.5.5.9.0.2.1.4.-.8.0.0.0...e.t.l.......P.P.D...@...s..>....................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mso93D.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:GIF image data, version 89a, 15 x 15
Category:dropped
Size (bytes):663
Entropy (8bit):5.949125862393289
Encrypted:false
SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
MD5:ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:false
Reputation:high, very likely benign file
Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:3:1tl7tt:
MD5:76FB8AE1369590D96F6EDDB91CC73D2F
SHA1:08A376E98707B7C22C3C6412C6708D0B8664604D
SHA-256:0E0699CECFBFD200482DCEE3DA90A9D4F676DF91E91E517AF98C80796DCF2941
SHA-512:DDFECA1788E1A997041ECC7C40260DC3B20087C2671F1D8A17C0C7EE9CCF0BB64074828AE0DE8F29218EA3EA4B6B5B06A3F34E841ED022AAEE7A2167754EF287
Malicious:false
Preview:..............................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):2.648774943661789
Encrypted:false
SSDEEP:1536:G/QTOJcGuqbyJSLNWeLOtCGDd2RQFniCsDDJW53jEpEHP4qQ10PAwrLDOQW53jEE:6MOJcj3i3p9/Sp9
MD5:9EE0C94D873A96437F3F20719D5DD671
SHA1:7C2F92D4A7018E2701AE637FB7628D68E1BD98CD
SHA-256:95E936E0B8A6A947EC2C1ED40335F2BCDCCE8E84BB4579913BDF6D76CE189A2E
SHA-512:15A4B175953CA5CF9BF69FB7B1040AC00811380F4B0B7EFD152E29CE31FEB77136641C88A24C1932D874FF20AADE4251CCE1D529E8E8A46040FF447C6FAEA8B9
Malicious:false
Preview:!BDN.6O.SM......\.......................Y................@...........@...@...................................@...........................................................................$.......D......@...........................................................................................................................................................................................................................................................................................................................T........n#..'.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):131072
Entropy (8bit):2.7199329094223907
Encrypted:false
SSDEEP:1536:6W53jEpEHP4qQ10PAwr18DOO1W53jEpEHP4qQ10PAwrsH3TjDDnu:Yp9aap9frn
MD5:915D66852F6C2C6AB9F68432C25BBA85
SHA1:A529AEB56A29D3A94C08537677C9A22D0F17E939
SHA-256:117802371F8B697480701B70074E61315AAC245AC99826D8082BCBDC75B223A6
SHA-512:37660571020BC631E450E4E46AE1E423FDAA19B30303BDD612BDF3B521A249814F240DEBCEA552F5F6BB9D0632524AC5E80C59830B5DE4BF11DC710272AD4D8C
Malicious:false
Preview:.b.]0...p.......@......>.........D............#.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................c.$..D........L.0...q.......@......>.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:RFC 822 mail, ASCII text, with CRLF line terminators
Entropy (8bit):6.084201234000767
TrID:
  • E-Mail message (Var. 5) (54515/1) 100.00%
File name:EmbeddedAttachment1 (81).eml
File size:29'102 bytes
MD5:a9bf6123b7ef1cfb474bec002629c239
SHA1:b80acc681b9faeea04551bac40be5d99218b9079
SHA256:5e11e4dcbfdc68861b31edc621d3340d1bb1638701db8b8ba32d0b87a876a57c
SHA512:a2392a84e69d10a12856d1e59f97c54a462ace19df0fb4931308e0bd4f918a28686ce9708012b391e068b652da3e1c8268cd930a317f8be2710569b0a531a52f
SSDEEP:768:ufCtpFVoPbv5FVoPN0OVLs8Dfc05FVoPnUEYuBmIs40M:Z3cbv53cN0OVDfZ53cnBYuAi0M
TLSH:0BD23A214616612BFA8052508C295C5E2121FD03B5BFC4857D0FAABB91DF3BF7E72C96
File Content Preview:Received: from MEYPR01MB7739.ausprd01.prod.outlook.com (2603:10c6:220:15e::7).. by MEAPR01MB2982.ausprd01.prod.outlook.com with HTTPS; Thu, 4 Jul 2024.. 10:15:58 +0000..Received: from PAZP264CA0053.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:1fc::18).. by MEY

Static Mail

General

Subject:Download All Your CV/Resume Email Attachments in One Shot With https://url.au.m.mimecastprotect.com/s/O76rCXLKZ1T235QAt60OU5?domain=tobu.ai
From:Karthik Sridhar <karthik@tobu.ai>
To:Caitlyn Bonaventura <Caitlyn.Bonaventura@hays.com.au>
Cc:
BCC:
Date:Thu, 04 Jul 2024 20:15:38 +1000
Communications:
  • Caution: This is an external email and has a suspicious subject or content. Please take care when clicking links or opening attachments. When in doubt, contact your IT Department _____ Hi Caitlyn, Are you tired of manually downloading resume/CV attachments from your inbox one by one? Whether you need a backup of your resumes quickly, are moving to a new ATS, or simply want to be more efficient, there's a better way! Great news! Tobu.ai<https://url.au.m.mimecastprotect.com/s/O76rCXLKZ1T235QAt60OU5?domain=tobu.ai> does exactly that. Tobu.ai<https://url.au.m.mimecastprotect.com/s/O76rCXLKZ1T235QAt60OU5?domain=tobu.ai> is the world's first and only email resume/CV extractor (patent-pending). When you sign up, Tobu: * Instantly auto-extracts every resume/CV in your inbox (every single resume/CV you've ever received). * Provides these resumes (doc, docx, pdf, etc.) in a downloadable zip file. Bonus: * Receive an Excel sheet with key candidate details parsed (name, email, phone, job title, location, etc.). * Automatically adds resumes/CVs to a private, searchable candidate database (fetching new CVs/resumes from your inbox continuously). Interested? Let me know, and we can connect over WhatsApp/LinkedIn. Sign up for a free trial here to see it in action: https://tobu.ai<https://url.au.m.mimecastprotect.com/s/_m-9C1WZX2H3Kz4gtXuuDj?domain=tobu.ai> Note: Your data is yours alone. We do not own/share/sell it. We are GDPR compliant and a Google Verified secure app. With customers across the globe, Tobu has already processed millions of CVs/resumes. Regards, Karthik Co-founder, Tobu.ai<https://url.au.m.mimecastprotect.com/s/O76rCXLKZ1T235QAt60OU5?domain=tobu.ai> - The World's First Email Resume Extractor WhatsApp: +91 9850 818010 My Linkedin Profile<https://url.au.m.mimecastprotect.com/s/bhsmC2xZY3h1AlYri9UGuz?domain=linkedin.com> <https://tobu.sgp1.digitaloceanspaces.com/email_images/email_image_attachments/1854/original/KNKwkkaaHnyGnetipTFnVZmwlEutvdbbIdaNhYrUJUQoPaXlJG.jpeg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=RL5QLJ6CKNNXPOQSO2AQ%2F20240610%2Fsgp1%2Fs3%2Faws4_request&X-Amz-Date=20240610T150504Z&X-Amz-Expires=604799&X-Amz-SignedHeaders=host&X-Amz-Signature=d7691a884ad5cd0e841518382d795d3fbe5aed6c310c57908de8583924978607> PS: I found you via a LinkedIn post where your email ID was shared to collect resumes for a job. Hence, I thought you might find my message useful. Unsubscribe<https://url.au.m.mimecastprotect.com/s/uHQUC3Q8Z4uqVAk3ivu1l0?domain=feedback.tobu.cloud> <https://feedback.tobu.cloud/api/mail_opens_image/GknQAbWzSOEqocQbOiSfBMhickCTzYFaaSHVUMCIojWimoFOVq>
Attachments:

    Headers

    Key Value
    Receivedfrom localhost.localdomain (EdWave [127.0.0.1]) by tobucloud.com (Postfix) with ESMTP id 07BE844273 for <caitlyn.bonaventura@hays.com.au>; Thu, 4 Jul 2024 06:15:38 -0400 (EDT)
    FromKarthik Sridhar <karthik@tobu.ai>
    ToCaitlyn Bonaventura <Caitlyn.Bonaventura@hays.com.au>
    SubjectDownload All Your CV/Resume Email Attachments in One Shot With https://url.au.m.mimecastprotect.com/s/O76rCXLKZ1T235QAt60OU5?domain=tobu.ai
    Thread-TopicDownload All Your CV/Resume Email Attachments in One Shot With https://url.au.m.mimecastprotect.com/s/O76rCXLKZ1T235QAt60OU5?domain=tobu.ai
    Thread-IndexAQHazfsqaIMFNK0S00GgfpePHGPcZg==
    X-MS-Exchange-MessageSentRepresentingType1
    DateThu, 04 Jul 2024 20:15:38 +1000
    Message-ID<6686764a4592_1cad155414633bb@tobucloud.com.mail>
    List-Unsubscribe<mailto:karthik@tobu.ai?Subject=Unsubscribe>
    Reply-To"karthik@tobu.ai" <karthik@tobu.ai>
    Content-Languageen-GB
    X-MS-Exchange-Organization-AuthSource AM4PEPF00027A6A.eurprd04.prod.outlook.com
    X-Hashtags#Commercial
    X-MS-Has-Attach
    X-MS-Exchange-Organization-Network-Message-Id d8c98d73-9087-4006-50e9-08dc9c12449f
    X-MS-TNEF-Correlator
    X-MS-Exchange-Organization-RecordReviewCfmType0
    x-ms-publictraffictypeEmail
    x-ms-exchange-organization-originalserveripaddress10.167.16.88
    x-ms-exchange-organization-originalclientipaddress103.96.22.101
    received-spfSoftFail (protection.outlook.com: domain of transitioning tobumail.tobu.ai discourages use of 103.96.22.101 as permitted sender)
    x-forefront-antispam-report CIP:103.96.22.101;CTRY:AU;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:NSPM;H:au-smtp-inbound-delivery-1.mimecast.com;PTR:au-smtp-delivery-1.mimecast.com;CAT:NONE;SFS:(13230040)(12012899012)(4022899009)(69100299015)(2092899012)(3072899012)(5073199012);DIR:INB;
    authentication-resultsspf=softfail (sender IP is 103.96.22.101) smtp.mailfrom=tobumail.tobu.ai; dkim=fail (signature did not verify) header.d=tobucloud.com;dmarc=fail action=quarantine header.from=tobu.ai;compauth=none reason=451
    authentication-results-originalrelay.mimecast.com; dkim=pass header.d=tobucloud.com header.s=mail header.b=LfaC3yEO; dmarc=pass (policy=quarantine) header.from=tobu.ai; spf=pass (relay.mimecast.com: domain of root@tobumail.tobu.ai designates 128.199.250.97 as permitted sender) smtp.mailfrom=root@tobumail.tobu.ai
    x-eopattributedmessage0
    x-ms-office365-filtering-correlation-idd8c98d73-9087-4006-50e9-08dc9c12449f
    x-ms-traffictypediagnostic AM4PEPF00027A6A:EE_|PAVPR05MB10237:EE_|MEYPR01MB7739:EE_|MEAPR01MB2982:EE_
    x-ms-exchange-transport-crosstenantheadersstampedPAVPR05MB10237
    x-haysbypassforwardingTrue
    x-microsoft-antispam BCL:0;ARA:13230040|12012899012|4022899009|69100299015|2092899012|3072899012|5073199012;
    x-ms-exchange-crosstenant-originalarrivaltime04 Jul 2024 10:15:44.6903 (UTC)
    x-ms-exchange-crosstenant-network-message-id d8c98d73-9087-4006-50e9-08dc9c12449f
    x-ms-exchange-crosstenant-id28a68a67-2aec-44ca-9adf-62bb8ebcbc40
    x-ms-exchange-crosstenant-fromentityheaderInternet
    x-mc-uniqueVHvXaCNvOsSySSQ3rusWDg-1
    x-mimecast-spam-score0
    x-ms-exchange-transport-endtoendlatency00:00:14.0086484
    x-ms-exchange-processed-by-bccfoldering15.20.7741.016
    arc-message-signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=dkim.mimecast.com; s=201903; t=1720088142; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-unsubscribe:dkim-signature; bh=mLapoN+Rt+uWjny2TILanz/HXZguGU1ZiUaQNSbVasA=; b=GIKDito48wiKqZ9poL/+L5K/9DvW59gM8lGuU8rQ/uyVwd0fP8tyB8A/hFK0FLBzf6b1Ye iWCGrXaEqnnpA0/W7XyiSgM2K7Hp1fygCuH/8rjaRfJR3627jCjUU5vdydwcOaOI6x/AZM Xd+cdxhz++8IC0AAA3uISQIKRm/Yb41R5EqxYdmObB0NW8P7PZpK0l9IfHIY3pGghCw1rC ru3stNoar1w4BEtMCNjdGNVM+yleFLF4KP4eOjSO1t7SW0GyPgLqA2QS4ZvYK9t8z6mPQ4 xN834TOmb2Yq5guwJg/6FOBQtS4nRh7ANUQ+Pu/niX4dOnbfqhn6jxBU+uXinA==
    arc-seali=1; s=201903; d=dkim.mimecast.com; t=1720088142; a=rsa-sha256; cv=none; b=dic8XeewxbTS4wY+imRW5Q3OqI5ftYobzg4bl0RMbFTX9gjGWdMXeEScwou5d6p2AMrPO6 xvcvK/xloPtXka1nfTHxizqQ0KLwpdHUTHjmg+6jNQqrR3/MXAMJUiURa1S+iXx5O4om94 TsN/ALq5BVK5RxvdbsWv9efRXOnxxweUNTbinYTOybOkrZHTaBZK+fT/f+L0tTORnbGNFB WemjCaZmAdLZFkPg9L3V4gpqMNe3R2l1P5r1N0vWFjqqIW7hTRKU5if6cEog8rT9d4jMEo lBCW4nIi0WepQYY4eyvyEJw8cMes5wA56E9GST6s1fO+BApxjYQT2ZFcmXsuhg==
    arc-authentication-resultsi=1; relay.mimecast.com; dkim=pass header.d=tobucloud.com header.s=mail header.b=LfaC3yEO; dmarc=pass (policy=quarantine) header.from=tobu.ai; spf=pass (relay.mimecast.com: domain of root@tobumail.tobu.ai designates 128.199.250.97 as permitted sender) smtp.mailfrom=root@tobumail.tobu.ai
    x-mimecast-impersonation-protectPolicy=Impersonation Protection Definition;Similar Internal Domain=false;Similar Monitored External Domain=false;Custom External Domain=false;Mimecast External Domain=false;Newly Observed Domain=false;Internal User Name=false;Custom Display Name List=false;Reply-to Address Mismatch=false;Targeted Threat Dictionary=false;Mimecast Threat Dictionary=false;Custom Threat Dictionary=false
    x-ms-exchange-crosstenant-authsource AM4PEPF00027A6A.eurprd04.prod.outlook.com
    x-ms-exchange-crosstenant-authasAnonymous
    X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
    X-Microsoft-Antispam-Message-Info YVYr9p7jWLEgOl3nBJ6sK5CUxNcUyWG25H0Z602+l+yXqWkQB6M5Ub5PfXX2qg9c+cP3zG5h10Chw6vNJPA7N7DPJ0Qze30Hgq+3GZlP7duVfaHc8MnQuX5N8wLMp2MzTtxU4CNhY4u8MkXsSoqkGH1RmSe0VWA+YveXrcXn7TOoSno+IsVyLR0XMRmhiZ5e/1lC3q+5SJIaKBOA1OaOqxi/i5oZlCy6UezmCprOfmMwvwZrBEjvkiXp4As0OCV+TJHhsIOKWitiSed+AJ0HzBQq9QCY292+SRaZDNBkRTf0+DG7UaQtbpL36JPP14lRs7YJfazsptyfJHx6W3T5xphDMQlUizVIFSQdBZwzuOK59OYpZ5GOytdx4djkbIk6xlOsQTdlDXBC/E1vFjh3gYT22uBoKzNuOfdllLs//3BG/xLhNcZSONKrkSBeu9LvMqJX3tSz7FceZO6UxwAnqVAfSLGtIpoX5BA1Xu7Q0o6SKUDaXBXNWjZBp8dEipmqwtKZS7hlvXk/2zKQR4GS6XiBOCDfTc7N57WxENvRAD8vqYn2390J87h2K2sNMgYn+awUFCEC3n92SOCJrMsb7zgLZVUZAIJ5Sz6j7DjyV9iSywtrPmVgh30613C56ci14IDj8sazEY1mL0eEItfCIXlYLtL4XY3q0lpQI/l09G6pvVd7YtUBrrLtqnnWhBh4zvHvx7OxkPiWlrCnwGeXTvlAfm5cpLL1/Ny+AMs+xzilw8aMrZ0W0v5btngbvRN5TAeCWrabDVYK8e9GNnYhWfo1Op4YUf3BViJqSilSbWVP2lzpo9VMBK9QQrir4yxM8f9/B8Pb6FdzLdBWfVKJHFOXeBhvlfrjPbUwhZ9nbAB1Qe4uIitIUBbRr+c84a8bRF/+K0r+8u0PsCTh4sXCUMydQ5sWD2TwEFNc2/Lp0R7QYUVZlXZsZFItYNrsc+dS0qAaW5fRQBqa7BYh+oqm5iN7c6kkyo63R9o+csZpYlBuVilJ5jPe9q+t6c2tE2AVEfzwtjElxBqpCboBwlZ8XuckWaON6nvhu4jUQ6NAjU7h7q6YS2FKYsvleNss+PKpX8YBwY5NSMvGgw5PMqipiqZP8u0cQz9WJP0WjfcEKME6YSuN/iOiVEpMhuTOoOfzt/TMyspxBtwy/gjuH3yJ7CWInkDOosZOgPaD2AQryGv7Re1suwUOdlH/JEuNGMbo3jPygsgHX/rFchuw17C+Vv5r3AqrzLY60b6q5qEDGVxfblSgj1Vxvwp0/oa1GhXUpYPtclr3jH2Z4Q1nYdVK2vExsakMAV4Fk13G3ZUD8KllBQRu27/qmSlZ3JkjRdl2fIfajYdjfoOd7YIM+h0e+GODX9JZGihj9T1ifTA0X5oHo/wrpgPXkFWxTswifWt/OStwb1veO7608UK0jrAbRaFTTLhheabrHSSn2O5cX8/1sx0sQZOPClNAYjHlC6e2VasHKLra2uiMDncvy8wyo4KVrq4PHdTaQDI25+qCgX+MrsgdIorGH3fMmDhRrJE79tVKBsYYR3R0dELVPGS9revVG0gl1VFPT17qow7Ug0Q8Za1B3hsQAr7FaoAVAg+5QzQZ6NZtMYyhy8fr3YqzhaPwAncJvazrFagqLGEn90Z6PT8CaPAfg7ytqM+rUhtVTqaJH8kMin656/O/6RGV35HJHcNOxmSjfcN/pf41vaLWC6uuGbJb+gB9lPsgHxi+ZV8QZRDR7b+m/Nlb+ANVvIWj82uASZypXNZt600uMYqmSRmvGCvJIkKKLVjPosXQrnG0tC1RFGfVsz8MaQWs5Upx2o2FOi9ZcukI9aPo/pwm8/5Lmu+BSm6GXN1BXVvJWfcODSYtHarscabcVWHKgeX48TAIjaFUjhmji87gGngOOD4hrm6LAR1gaNtn7K1ZIHwCw0UD9wqKtIRmfLEoD0PxSN2h2J5GtTywwIsi00uC83FcBtMRvG1s8lsQ5+DmZuKoh2zSmCSmNmZ2GNsAYzPBDA7jTTiGtJinIQ0bFq+Le3HZy9soiYw6rQEq8e5SN+4UOmyFzPAfSUQ++Xsv2ooX0RTsCNNOFs3i2giyoaG0aeFs2zKIe42/n2dqLKlypbe61C3ekevyhPwuZEA1wNrobHItLVXXtKjqOCW+GjE=
    Content-Typemultipart/alternative; boundary="_000_6686764a45921cad155414633bbtobucloudcommail_"
    MIME-Version1.0

    File Icon

    Icon Hash:46070c0a8e0c67d6

    Network Behavior

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jul 5, 2024 05:56:13.323476076 CEST53630201.1.1.1192.168.2.7

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:23:55:59
    Start date:04/07/2024
    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\EmbeddedAttachment1 (81).eml"
    Imagebase:0x6d0000
    File size:34'446'744 bytes
    MD5 hash:91A5292942864110ED734005B7E005C0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:2
    Start time:23:56:00
    Start date:04/07/2024
    Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
    Wow64 process (32bit):false
    Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "78F32E48-85E2-48F7-AD9E-A7623495191D" "D9DD06AB-9C1F-4E50-BE59-6FBD065C58E4" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Imagebase:0x7ff7df5c0000
    File size:710'048 bytes
    MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Disassembly

    No disassembly