Edit tour

Windows Analysis Report
Simon has shared a document for review.msg

Overview

General Information

Sample name:	Simon has shared a document for review.msg
Analysis ID:	1541061
MD5:	c293130771a1c754f8efd4c35efb78ae
SHA1:	32f42e3e9fa5c7538fcbab282b9a41a139934a2f
SHA256:	5c3d99318a8694230306d7da20a89b7e4a16b61d66dc024d70d4a87c99a07e75
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 1756 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Simon has shared a document for review.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 3728 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "33C5B78D-24DE-4B02-B74D-9C15603B742A" "78BF39AB-8D64-444A-AE2E-E7663AFF313B" "1756" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 1756, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.office.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://api.scheduler.
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://app.powerbi.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://augloop.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://canary.designerapp.
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cdn.entity.
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cortana.ai
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://cr.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://directory.services.
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ecs.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://graph.windows.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://invites.office.com/
Source: ~WRS{975AE4B2-E865-49F5-A09F-89F5CAA5FA1D}.tmp.0.dr	String found in binary or memory: https://is.gd/6NgVrQ
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://login.windows.local
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://management.azure.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://management.azure.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://mss.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://outlook.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://service.powerapps.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://substrate.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://tasks.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: Simon has shared a document for review.msg, ~WRS{975AE4B2-E865-49F5-A09F-89F5CAA5FA1D}.tmp.0.dr	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/YqYdCWLlDU5vY6KC6f1FoGt7r?domain=is.gd
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: mal48.winMSG@3/13@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T0516160221-1756.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Simon has shared a document for review.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "33C5B78D-24DE-4B02-B74D-9C15603B742A" "78BF39AB-8D64-444A-AE2E-E7663AFF313B" "1756" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "33C5B78D-24DE-4B02-B74D-9C15603B742A" "78BF39AB-8D64-444A-AE2E-E7663AFF313B" "1756" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: Email

LLM: Email contains prominent button: 'view shared document'

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The email uses a generic 'shared document' template, which is commonly used in phishing attempts

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe
https://api.office.net	0%	URL Reputation	safe
https://incidents.diagnosticssdf.office.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/android/policies	0%	URL Reputation	safe
https://entitlement.diagnostics.office.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://designerapp.azurewebsites.net	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false		unknown
https://store.office.cn/addinstemplate	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false		unknown
https://globaldisco.crm.dynamics.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://mss.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://api.office.net	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown
https://is.gd/6NgVrQ	~WRS{975AE4B2-E865-49F5-A09F-89F5CAA5FA1D}.tmp.0.dr	false		unknown
https://entitlement.diagnostics.office.com	047CF057-88A3-49AF-91AA-FDDE686C352B.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541061
Start date and time:	2024-10-24 11:15:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Simon has shared a document for review.msg
Detection:	MAL
Classification:	mal48.winMSG@3/13@0/0
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.182.143.215
Excluded domains from analysis (whitelisted): onedscolprdcus22.centralus.cloudapp.azure.com, ecs.office.com, otelrules.azureedge.net, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, ukw-azsc-config.officeapps.live.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Simon has shared a document for review.msg

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.385098323869026
Encrypted:	false
SSDEEP:	1536:SHYL7pgso7xEc8Li3gs63NcAz79ysQqt2sHZ2qoQuurcm0FvoIVysxLP3C+n622w:79gGzSgPmiGu2jqoQfrt0Fv8m6jUCkQ4
MD5:	1C8F324A9A0B395972AD63DAD5915D6F
SHA1:	2E35A5DC2BA75FF5D874FAA2437ED515D0746D6D
SHA-256:	F02503E59B796F6AAA3B46D5B1238B749C11D1825B25BE37A956D093B856E3D3
SHA-512:	618742138D70E00A408D130C285413FCEDC217B92087D395FEA25E5B35BEB15603347A9EECEC09ED955FA57541C5393FBD5E2E216357570A3CA20387D29BD7C0
Malicious:	false
Reputation:	low
Preview:	TH02...... ..6.S.%......SM01X...,....#.S.%..........IPM.Activity...........h...............h............H..ht.S.....H{6....h........p...H..h\eng ...r\Ap...h....0....S....h8y.............h........_`.k...htx..@...I.6w...h....H...8..k...0....T...............d.........2h...............k..............!h.............. h%.>c.....S...#h....8.........$hp.......8....."h............'h..p...........1h8y..<.........0h....4.....k../h....h......kH..h...p...t.S...-h .........S...+h.~.....h.S................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
Category:	dropped
Size (bytes):	1869
Entropy (8bit):	5.086324769214461
Encrypted:	false
SSDEEP:	48:cG3/OdnzyMdyrB4nzyeiSy30Jdyrh3nzytRdy+GkSyrf1nzyCdywYASyQEdSyO:Od2MEu2BbOE92zEebJ2CE7AbHdbO
MD5:	307A9E32C2D21F1EC9F0B8D2A492EEB8
SHA1:	B507A0BCF10D58F6C9BE9EE4090AF045117F92E6
SHA-256:	45047CE803B8CF38FFA29FAD4FF4208D514F7DD9526A0B84EB6A7841DFDD86A2
SHA-512:	85AFFFFC7941ADD6D5C430F2EA8F29DB561DEF50F8B08725BF850C2658D8F45F53875AA21A79F701744F742A13349A216A0154144A564FCA59D7C204C609F66B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-05T06:31:08Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_26215680</Id><LAT>2024-10-24T09:16:19Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-05T06:31:08Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-05T06:31:08Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos_26215682</Id><LAT>2023-10-05T06:31:08Z</LAT><key>31169036496.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2023-10-05T06:31:08Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Apto

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\047CF057-88A3-49AF-91AA-FDDE686C352B

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	178267
Entropy (8bit):	5.290273419209206
Encrypted:	false
SSDEEP:	1536:5i2XfRAqFbH41gwEwLe7HW8QM/o/NMdcAZl1p5ihs7EXXDEAD2Odago:fCe7HW8QM/o/TXgk9o
MD5:	677495C0AF9EE83E537D186D2ABF1101
SHA1:	BE7CD9BBDDFDF7D948B87FFF26F881F90E83AE77
SHA-256:	37635B00AF1516CE656CD043536974A8BC72A8DDDE5B96DDB9C46C0CA1330B0D
SHA-512:	51154584541138B93E2FA5CAF4CBD33E283FDBB6C69F704CF4B271EB581690CEA4218668AA4BBD5DE4A4DAB96043E9B1B47FC0472F0AEC18A0D172A29CC7D575
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-24T09:16:20">.. Build: 16.0.18209.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04591939678467531
Encrypted:	false
SSDEEP:	6:GteMyPV1dl3eMyPV1EF9X01PH4l942wU:xMytBOMytCn0G3L
MD5:	3B08CB19F5E153B4D9679B829A59B72B
SHA1:	E06490F6AA020C59378669C4BB9D782854192D85
SHA-256:	B569153D41019BB71052EB6D3A897C3A897EB23CB4FFCAB2DDA350FFCB58D305
SHA-512:	6EB069012ECCF38FDFE0C13E00C2BB430F14DD0B57C09EC399BE15D2DF54611892B5235F683FAF43252207EB86603ADB202CBFEC920268E166C6BFC983047E3E
Malicious:	false
Reputation:	low
Preview:	..-......................z....l......0r.......-......................z....l......0r.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.48510952792850004
Encrypted:	false
SSDEEP:	48:gDQ1aUll7DYMKRzO8VFDYMup8BO8VFDYML:zLll43djVGBpCjVGC
MD5:	28A9C176B425BD1E6639949088CABD92
SHA1:	EC4C5FA45C56B483F29BB422A99D45FBA923757D
SHA-256:	260873FD94449D4EEC2745C3B5BA16A79EB836E769E2891B626AED581847D6AD
SHA-512:	32B88E468F96E22346B4432CD3B36069CC9D5EF8544E382449949974E0F4B9094C0C75791160B280C716E2A1EF7B8E299613861F88166BB91182697DAE3E8DAC
Malicious:	false
Reputation:	low
Preview:	7....-...............0]...E.B.............0..v....xSQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{975AE4B2-E865-49F5-A09F-89F5CAA5FA1D}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	1840
Entropy (8bit):	2.0757967727712594
Encrypted:	false
SSDEEP:	12:AlGbkisfxcsQN/UbjVSlvFT/7GT0hIPiSgHLljcPyk+yQo68eO48hLS:AlGY0iVSlZ7GOIPiDHLlj8ykw8bd
MD5:	C1D82E10E5B4F7C7CFD21B3669BF97DB
SHA1:	89B9BB7E09F1FB46FC93AA3BEDD3DF8B805649A2
SHA-256:	710599C82B820D1121A990C52BD586FB9C241CB94B68D648B48B6DB687FC9A68
SHA-512:	417704CCC573B8837EFC8A8D129512DB77FBB881ABE49347D1A8566D7521EEF40F5F6175CB52CD418BF7A4DA7EBDEE54259EB05031C8B5DFC5A390766400512E
Malicious:	false
Reputation:	low
Preview:	........S.i.m.o.n. .h.a.s. .s.h.a.r.e.d. .a. .d.o.c.u.m.e.n.t. .f.o.r. .r.e.v.i.e.w......... ............. .W.i.g.d.a.h.l.a.n.d.s.t.u.b.b.s...-. .Q.4. .P.A.Y.M.E.N.T./.F.U.N.D.I.N.G. .D.O.C. .2.0.2.4.........................................................................................................................................................................................................................................................................................................................................V...Z...f.................................................................................................................................................................................................................................................................................................................................................................................................................*...$..$.If........!v..h.#v....:V.......t.....6......5.......4

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729761376683561400_4AAC7D61-CB71-4C19-BE51-D38C552FD3B6.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28768), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.16275809610647224
Encrypted:	false
SSDEEP:	1536:bJuzF0MNyouH4NLho1up9YpGWlmHxJudK3DM4ZJY1LTSKOBYehvFvYag/zg345FY:XAMeAgQ95Be
MD5:	DB68152BC8A291FF12E89D190B9AB4C1
SHA1:	2A0C1CF74243FEB0C1F81B170F8A753DA454AD26
SHA-256:	885F7DE07E884DEC038674CF13EB8D5EA1FEBE2F5139ED360B35D494EEDEAE47
SHA-512:	64088753B511AE136CBB2A52FFCD5C98BC2CE6CF879DCEE6D4FBB51341646FC2760BDDAD2918F9E3D5E34E6E5E85DC42E99D7D8E24F631B452AA7CFD98BA9CF4
Malicious:	false
Reputation:	low
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/24/2024 09:16:16.877.OUTLOOK (0x6DC).0x1904.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-24T09:16:16.877Z","Contract":"Office.System.Activity","Activity.CV":"YX2sSnHLGUy+UdOMVS/Ttg.4.9","Activity.Duration":14,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/24/2024 09:16:16.924.OUTLOOK (0x6DC).0x1904.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-10-24T09:16:16.924Z","Contract":"Office.System.Activity","Activity.CV":"YX2sSnHLGUy+UdOMVS/Ttg.4.10","Activity.Duration":17376,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729761376685080500_4AAC7D61-CB71-4C19-BE51-D38C552FD3B6.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T0516160221-1756.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.476342290397853
Encrypted:	false
SSDEEP:	768:fgGjZxMj/I3VPY7Jf4tg9WAulZ7bJ1HXngxYE21WW8WUWOWA:DCr4tg9WAKpZXsYEOc
MD5:	5071987175B8D5269356263E9CA8E0F6
SHA1:	0172EC5A1C5393D10E06492BA3083E1A4CF506F2
SHA-256:	50F73DCB5405C7B815AE33E63F6A40600FF8A6B8E08D1237559260D421544441
SHA-512:	E71E877C12480AB47C1ED6299827DD159267840F75024A671B4D1CC5652B6CABA968E6C6D41E4FEE1010E845F5CE5DE85E7AAF49004055743E58E6AC6C08F782
Malicious:	false
Preview:	............................................................................f...........M..a.%..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................G...........M..a.%..........v.2._.O.U.T.L.O.O.K.:.6.d.c.:.1.0.b.7.c.e.a.c.c.3.0.f.4.e.e.0.b.8.d.4.2.9.9.5.e.f.9.e.2.8.3.f...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.2.4.T.0.5.1.6.1.6.0.2.2.1.-.1.7.5.6...e.t.l.........P.P..........$.a.%..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBF9E2C0063876779.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.3900932985549125
Encrypted:	false
SSDEEP:	192:nknoqhpYp4+EBUJnUhsIu2ShUMJ/46UZA/+y2NgiXHWQOoqAbAWpNh/:kr84XMnlIu2E/J/46UZNyZiXHOoqM
MD5:	3BD757AB591C2596556CF928C4A5B0DF
SHA1:	CCFFB09BDE821017E5758E7DD1EB40C537B84996
SHA-256:	337A8491FB98A7F7CA222E52300015E6C6F8E41790E8363CB06CD35483D05550
SHA-512:	C8E6DF2F07DF50762E74C6445DA043B9A9CCCE2251966184CAC09415A282598C8F6080757D5E3DE2F52D5288D997F495F0153262B20397AD9B0A7B406DDD63C4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:lsmJlt:2Il
MD5:	23C6EFB68D3F9DD95D15B33275E6A99A
SHA1:	81C524ED3734B6468F550DB2163935E62B82C778
SHA-256:	5F4D2157BA5AB9D2B7198E3BC26E5B655318D2FAD6108A9ED89F637F33ABED00
SHA-512:	07CE84CEF04CBA1F59CDAC3DF3E2CF8167164F9FE14A921291C48C6311A50642BBC8223BD5D2DA8999DD745FC22A881F7FE05FCE64B708167A674DBC96B20A60
Malicious:	false
Preview:	.............................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	1.2923538931638971
Encrypted:	false
SSDEEP:	768:I3Qc5BXmmg592HoDzTgZ/9hOBoxhx1Az9WGKP3xtGi0Bft8BUTIZ:kYmgj2QzE19hoQ1oCnhGfteNZ
MD5:	8A48B01559FA7CDC6A22062141460B72
SHA1:	FA9D013A25053C3E04D276CB36DF0588C37EB46F
SHA-256:	DBAB8BFA5888A7FD8E4F811B59C6F3F9FF1011527E8E431BCD5D8DED1F0E2ADE
SHA-512:	D20E0BF1A02DAD9B4EE89E27B4DC1466090E6932932D75956C3D42CD2456C73C167BED92988B231C854D471B2DDBD56367AEEAF5343BBA6CB0F2DD88567EDF13
Malicious:	true
Preview:	!BDN....SM......\..............?.......V................@...........@...@...................................@...........................................................................$.......D.......V..............=........\|......:........v............................................................................................................................................................................................................................................................................................9..Gb.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.7632242839246564
Encrypted:	false
SSDEEP:	192:rSEGNT0chwHUNC+JIhykOach9q5c9yBhi1R434P6BDoAov0bPhB:2DT0cOmJ6ykmh9qS9ya1RH6BE6PhB
MD5:	9A9E3ED64E9B607BF2A944E3CEE4021D
SHA1:	4A6C0C4476030E6FEF370188CA9743D19D1A5386
SHA-256:	D8B563EF9139A764FE8E8F7238989AE09AF335F11D4948E48733979028E81867
SHA-512:	3AFD110F92B5403FB6203234C12FFEF684B7B62E05CE2DB633CCA9699983BE80A0BA647876087F48A41995ED84CB0E469EDCB35A5CAAFF7AAA938CEA9A552A38
Malicious:	true
Preview:	...`C...[...........7"0^.%....................#.!BDN....SM......\..............?.......V................@...........@...@...................................@...........................................................................$.......D.......V..............=........\|......:........v............................................................................................................................................................................................................................................................................................9..Gb.7"0^.%.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	4.030620725445839
TrID:	Outlook Message (71009/1) 45.36% Outlook Form Template (41509/1) 26.51% Perfect Keyboard macro set (36024/1) 23.01% Generic OLE2 / Multistream Compound File (8008/1) 5.12%
File name:	Simon has shared a document for review.msg
File size:	83'456 bytes
MD5:	c293130771a1c754f8efd4c35efb78ae
SHA1:	32f42e3e9fa5c7538fcbab282b9a41a139934a2f
SHA256:	5c3d99318a8694230306d7da20a89b7e4a16b61d66dc024d70d4a87c99a07e75
SHA512:	04e1a8cb0e0719bed6caa5e03b782dd99f1f80a86189d5354eaab304e84396d09330da9d51464a97e54fbe1ba72d13bbbc88e98b197b272c76e6e2d0a79b580b
SSDEEP:	1536:OVWLWIaqyehP6BhOBhfuqQV6VqtF7/oWXW4a9FEeBIE:OWa5e0BhGh4p9eBI
TLSH:	7583E1113AFA1119F2B3AF354FF69097893BBD92AD25955F2180330E0672E41D962F3B
File Content Preview:	........................>......................................................................................................................................................................................................................................

Static Mail

General

Subject:	Simon has shared a document for review
From:	Simon Wigdahl <s.wigdahl@wigdahlandstubbs.co.uk>
To:	Undisclosed recipients:;
Cc:
BCC:
Date:	Thu, 24 Oct 2024 11:00:40 +0200
Communications:	Simon has shared a document for review Wigdahlandstubbs - Q4 PAYMENT/FUNDING DOC 2024. View Shared Document <https://url.uk.m.mimecastprotect.com/s/YqYdCWLlDU5vY6KC6f1FoGt7r?domain=is.gd> This Document was shared by Simon s.wigdahl@wigdahlandstubbs.co.uk ________________________________ Sent by s.wigdahl@wigdahlandstubbs.co.uk using SharePoint, the best way to plan, track, automate, and report on work, enabling you to move from idea to impact - fast. Learn more 2024 Smartsheet Inc. \| Contact \| Privacy Policy \| User Agreement Report Abuse/Spam Kind Regards, Simon
Attachments:

Headers

Key	Value
Received	from DB9PR03MB8185.eurprd03.prod.outlook.com
09	01:13 +0000
ARC-Seal	i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
h=From	Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass
(2603	10a6:10:4b5::23) with Microsoft SMTP Server (version=TLS1_2,
2024 09	01:13 +0000
Transport; Thu, 24 Oct 2024 09	01:22 +0000
Authentication-Results	spf=fail (sender IP is 91.220.42.227)
Received-SPF	Fail (protection.outlook.com: domain of wigdahlandstubbs.co.uk
via Frontend Transport; Thu, 24 Oct 2024 09	01:21 +0000
h=from	from:reply-to:subject:subject:date:date:message-id:message-id:to:
cc	mime-version:mime-version:content-type:content-type:dkim-signature;
arc=pass ("microsoft.com	s=arcselector10001:i=1");
spf=pass (relay.mimecast.com	domain of s.wigdahl@wigdahlandstubbs.co.uk designates 40.107.21.108 as permitted sender) smtp.mailfrom=s.wigdahl@wigdahlandstubbs.co.uk
Authentication-Results-Original	relay.mimecast.com; dkim=fail ("headers rsa
header.b=PNtkPE4L; arc=pass ("microsoft.com	s=arcselector10001:i=1");
dmarc=none; spf=pass (relay.mimecast.com	domain of
uk-mta-85-W81L1utDMpqWesTt4HIKgA-1; Thu, 24 Oct 2024 10	01:18 +0100
X-MC-Unique	W81L1utDMpqWesTt4HIKgA-1
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed;
by DU0PR03MB8624.eurprd03.prod.outlook.com (2603	10a6:10:3eb::12) with
([fe80	:d38:35ca:b96f:1189%5]) with mapi id 15.20.8069.027; Thu, 24 Oct 2024
From	Simon Wigdahl <s.wigdahl@wigdahlandstubbs.co.uk>
Subject	Simon has shared a document for review
Thread-Topic	Simon has shared a document for review
Thread-Index	AQHbJfJ1Kle9/mxSKkuVuXlrZwkAGQ==
Date	Thu, 24 Oct 2024 09:00:40 +0000
Message-ID	<DB9PR03MB818541A145366F174223959EDF4E2@DB9PR03MB8185.eurprd03.prod.outlook.com>
Accept-Language	en-GB, en-US
X-MS-Has-Attach	X-MS-TNEF-Correlator:
msip_labels	x-ms-traffictypediagnostic:
DB9PR03MB8185	EE_\|DU0PR03MB8624:EE_\|DB1PEPF000509E4:EE_\|CWLP265MB6466:EE_\|CWXP265MB3863:EE_
X-MS-Office365-Filtering-Correlation-Id	2975831c-f277-4749-cdf1-08dcf40a6e0e
x-ms-exchange-senderadcheck	1
x-ms-exchange-antispam-relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230040\|376014\|7416014\|366016\|1800799024\|8096899003\|38070700018\|105050200037
X-Microsoft-Antispam-Message-Info-Original	=?us-ascii?Q?sSI9zcNzDrtCK05C3uSwLZ2zDaOM4uJmnrQzDQEnI25cJd7tqy1WfroAGiRK?=
X-Forefront-Antispam-Report-Untrusted	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR03MB8185.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(7416014)(366016)(1800799024)(8096899003)(38070700018)(105050200037);DIR:OUT;SFP:1102
MIME-Version	1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped	CWLP265MB6466
X-Mimecast-Spam-Score	9
X-Mimecast-Impersonation-Protect	Policy=Default Impersonation Definition;Similar Internal Domain=false;Similar Monitored External Domain=false;Custom External Domain=false;Mimecast External Domain=false;Newly Observed Domain=false;Internal User Name=false;Custom Display Name List=false;Reply-to Address Mismatch=false;Targeted Threat Dictionary=false;Mimecast Threat Dictionary=false;Custom Threat Dictionary=false
X-Mimecast-Spam-Signature	yes
Content-Language	en-GB
Content-Type	multipart/alternative;
To	Undisclosed recipients:;
Return-Path	s.wigdahl@wigdahlandstubbs.co.uk
X-MS-Exchange-Organization-ExpirationStartTime	24 Oct 2024 09:01:21.3082
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	2975831c-f277-4749-cdf1-08dcf40a6e0e
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	044ebd9e-a4d0-4dc3-a433-3f1e22de7974:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-Exchange-Transport-CrossTenantHeadersStripped	DB1PEPF000509E4.eurprd03.prod.outlook.com
X-MS-PublicTrafficType	Email
X-MS-Exchange-Organization-AuthSource	DB1PEPF000509E4.eurprd03.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Office365-Filtering-Correlation-Id-Prvs	d6b8a2b2-1f05-4a29-9ce8-08dcf40a690d
X-MS-Exchange-AtpMessageProperties	SA
X-MS-Exchange-Organization-SCL	-1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|82310400026\|35042699022\|31092699021\|8096899003\|105050200037\|43540500003;
X-Forefront-Antispam-Report	CIP:91.220.42.227;CTRY:GB;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:eu-smtp-inbound-delivery-1.mimecast.com;PTR:eu-smtp-delivery-1.mimecast.com;CAT:NONE;SFS:(13230040)(82310400026)(35042699022)(31092699021)(8096899003)(105050200037)(43540500003);DIR:INB;
X-MS-Exchange-ForwardingLoop	mortgage.desk@ncbs.co.uk;044ebd9e-a4d0-4dc3-a433-3f1e22de7974
X-MS-Exchange-CrossTenant-OriginalArrivalTime	24 Oct 2024 09:01:21.1832
X-MS-Exchange-CrossTenant-Network-Message-Id	2975831c-f277-4749-cdf1-08dcf40a6e0e
X-MS-Exchange-CrossTenant-Id	044ebd9e-a4d0-4dc3-a433-3f1e22de7974
X-MS-Exchange-CrossTenant-AuthSource	DB1PEPF000509E4.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-EndToEndLatency	00:00:07.1399951
X-MS-Exchange-Processed-By-BccFoldering	15.20.8093.014
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	=?us-ascii?Q?jycgFn2rOApazStzxqRqtJw44fNWaGLVS9zizcwotjSdfwsAzUxDEluOagtS?=
date	Thu, 24 Oct 2024 11:00:40 +0200

File Icon


Icon Hash:	c4e1928eacb280a2

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 11:16:51.666999102 CEST	53	57285	162.159.36.2	192.168.2.6
Oct 24, 2024 11:16:52.320188999 CEST	53	64641	1.1.1.1	192.168.2.6

Target ID:	0
Start time:	05:16:11
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Simon has shared a document for review.msg"
Imagebase:	0xa20000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:16:19
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "33C5B78D-24DE-4B02-B74D-9C15603B742A" "78BF39AB-8D64-444A-AE2E-E7663AFF313B" "1756" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff7882e0000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Simon has shared a document for review.msg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\047CF057-88A3-49AF-91AA-FDDE686C352B

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{975AE4B2-E865-49F5-A09F-89F5CAA5FA1D}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729761376683561400_4AAC7D61-CB71-4C19-BE51-D38C552FD3B6.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729761376685080500_4AAC7D61-CB71-4C19-BE51-D38C552FD3B6.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T0516160221-1756.etl

C:\Users\user\AppData\Local\Temp\~DFBF9E2C0063876779.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
Simon has shared a document for review.msg