Edit tour

Windows Analysis Report
(No subject) (91).eml

Overview

General Information

Sample name:	(No subject) (91).eml
Analysis ID:	1541504
MD5:	efb174e1f0f5b73ab950ab361960ea50
SHA1:	6757a77fad6b662c487a08654862f804a7304f04
SHA256:	2e1c79b2e09a2c9f1cd2df545a2a4b1ae62939c34db1fc0bea633c5e0cfca773
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6460 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\(No subject) (91).eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 4760 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C8D29D07-5E0B-4309-9B21-2D2C223BD71C" "F9248E8B-C36B-4A38-B94D-97D9F1873580" "6460" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

HxOutlook.exe (PID: 2188 cmdline: "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca MD5: 6F8EAC2C377C8F16D91CB5AC8B8DBF5F)

HxAccounts.exe (PID: 6744 cmdline: "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca MD5: 6FEB00C9A2C3FF66230658B3012BAB6A)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6460, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://test-exp-s2s.msedge.net/ab/
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://test-exp-s2s.msedge.net/ab/c
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://test-exp-s2s.msedge.net/ab/gehttp://test-exp-s2s.msedge.net/ab/blocklowlabelimageloadsropcall
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://test-exp-s2s.msedge.net/ab/http://test-exp-s2s.msedge.net/ab/https://config.edge.skype.net/co
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://test-exp-s2s.msedge.net/ab/https://config.edge.skype.com/config/v1/cacheMemoryFullNotificatio
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: (No subject) (91).eml	String found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.aadrm.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.aadrm.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.cortana.ai
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.office.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.onedrive.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://api.scheduler.
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp, 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://app.powerbi.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://augloop.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: HxAccounts.exe, 0000000B.00000002.2480679692.000001AAC0200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az804205.vo.msecnd.net/
Source: HxAccounts.exe, 0000000B.00000002.2480679692.000001AAC0200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az804205.vo.msecnd.net/f
Source: HxAccounts.exe, 0000000B.00000002.2480679692.000001AAC0200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az815563.vo.msecnd.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://canary.designerapp.
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cdn.entity.
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://clients.config.office.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://clients.config.office.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/cacheFileFullNotificationPercentagecacheFileFullNotification
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.net/config/v1/
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.net/config/v1/http://test-exp-s2s.msedge.net/ab/cacheMemoryFullNotificatio
Source: HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.net/config/v1/standardprotections
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cortana.ai
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cortana.ai/api
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://cr.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://d.docs.live.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://dev.cortana.ai
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://devnull.onenote.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://directory.services.
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ecs.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://graph.windows.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://graph.windows.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://invites.office.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://lifecycle.office.com
Source: HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp, 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://login.windows.local
Source: HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local/
Source: OUTLOOK_16_0_16827_20130-20241024T1625420668-6460.etl.0.dr	String found in binary or memory: https://login.windows.local0
Source: OUTLOOK_16_0_16827_20130-20241024T1625420668-6460.etl.0.dr	String found in binary or memory: https://login.windows.localnulle.O
Source: HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp, App1729801542873750200_FCB8E314-5706-4211-BDB3-A6A9C8D05545.log.0.dr	String found in binary or memory: https://login.windows.net
Source: HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://make.powerautomate.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://management.azure.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://management.azure.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://messaging.office.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://mss.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ncus.contentsync.
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: HxAccounts.exe, 0000000B.00000002.2480857218.000001AAC0213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nexus.officeapps.live.com
Source: HxAccounts.exe, 0000000B.00000002.2480857218.000001AAC0213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nexusrules.officeapps.live.com0
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://officeapps.live.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://onedrive.live.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://outlook.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://outlook.office.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://outlook.office365.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://outlook.office365.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://res.cdn.office.net
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://service.powerapps.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://settings.outlook.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://staging.cortana.ai
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://substrate.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://tasks.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://wus2.contentsync.
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	String found in binary or memory: https://www.yammer.com
Source: HxAccounts.exe, 0000000B.00000002.2489009272.000001AAC74DA000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com
Source: HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com/1xI

Source: classification engine

Classification label: sus21.winEML@5/20@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T1625420668-6460.etl

Jump to behavior

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\(No subject) (91).eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C8D29D07-5E0B-4309-9B21-2D2C223BD71C" "F9248E8B-C36B-4A38-B94D-97D9F1873580" "6460" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: unknown	Process created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca
Source: unknown	Process created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C8D29D07-5E0B-4309-9B21-2D2C223BD71C" "F9248E8B-C36B-4A38-B94D-97D9F1873580" "6460" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: microsoft.applications.telemetry.windows.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msoimm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso40uiimm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso30imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.core.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.word.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso98imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso50imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso98imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.model.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxcomm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.networking.hostname.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.view.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.hxshared.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.viewmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.resources.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.hx.mail.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.hxcalendar.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.remotedesktop.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.profile.systemid.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.profile.retailinfo.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winrttracing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ploptin.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: userdataaccountapis.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.accountscontrol.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: accountsrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: hxoutlook.model.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: microsoft.applications.telemetry.windows.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mso30imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: office.ui.xaml.hxaccounts.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: hxcomm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.networking.hostname.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.accountscontrol.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: winrttracing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: hxoutlook.resources.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: wuceffects.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The sender's email domain (cromex.net) does not match the claimed organization (City of Santa Clara CA)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: settings.dat.LOG1.4.dr

Binary or memory string: VMware, Inc. VMware20,17

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://aka.ms/LearnAboutSenderIdentification	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://login.windows.net	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://designerapp.azurewebsites.net	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://config.edge.skype.net/config/v1/standardprotections	HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://powerlift.acompli.net	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://cortana.ai	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://config.edge.skype.net/config/v1/	HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.yammer.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://cr.office.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false		unknown
https://xsts.auth.xboxlive.com/1xI	HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false		unknown
https://store.office.cn/addinstemplate	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false		unknown
https://globaldisco.crm.dynamics.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://aka.ms/LearnAboutSenderIdentification	(No subject) (91).eml	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://login.windows.net/	HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://outlook.office365.com/autodiscover/autodiscover.json	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	HxAccounts.exe, 0000000B.00000002.2481062917.000001AAC022B000.00000004.00000020.00020000.00000000.sdmp, 8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://mss.office.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://management.azure.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://login.windows.net	HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp, App1729801542873750200_FCB8E314-5706-4211-BDB3-A6A9C8D05545.log.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown
https://xsts.auth.xboxlive.com	HxAccounts.exe, 0000000B.00000002.2489009272.000001AAC74DA000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000002.2488670547.000001AAC748B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://outlook.office365.com/api/v1.0/me/Activities	8095E2CC-07E8-49AD-AF2A-4FECF10FF61C.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541504
Start date and time:	2024-10-24 22:25:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	(No subject) (91).eml
Detection:	SUS
Classification:	sus21.winEML@5/20@0/0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, HxTsr.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.113.194.132, 52.109.76.243, 2.19.126.151, 2.19.126.160, 199.232.210.172, 20.42.72.131, 52.109.28.46, 13.107.42.16
Excluded domains from analysis (whitelisted): omex.cdn.office.net, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, officeclient.microsoft.com, l-0007.l-msedge.net, wu-b-net.trafficmanager.net, config.edge.skype.com, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, self.events.data.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, outlookmobile-office365-tas.msedge.net, s-0005.s-msedge.net, l-0007.config.skype.com, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, onedscolprdeus00.eastus.cloudapp.azure.com, settings.data.microsoft.com, ecs.office.tr
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: (No subject) (91).eml

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	Doc-Secure6033.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://email.sg.on24event.com/ls/click?upn=u001.7kf5QUY4LGF7Fzt7LGE4bbPPsSPtBC4KXSPVJqWhtiGKYA8h-2Fs2ZE4k4Mw5OTNkG7MXiFSxnNtW0j6ofSHAXW1HldotIiuSczAWXKMwqPC9SEFfmHbhfPeJSnLL1byLqHFtV-2B5-2Bzlu3aEmkvEsjdF4pfPyN0cCie5qLdpyqXEVc-3DdW75_nptsQERiP2bxDplO0Yopma5-2B3-2BHXjIBfjCSriTnBL6bDAIVjKAbvVGNCWdU9DqIsFlkV1hwq0qq8QFfBJ4Jw83lxfQiag11eNjful-2F5DZNB0MfOdNL9CUK7i3u0XSRn3tgRxnTXYhlIImrFKtd24RJvAaDi0YLYq-2F-2Bnuc9osPPDAYREdTeCb9pcHCOzNWNquq3heowckATHcFvqXT76Jk2gcbZFXWlQRsFjG8eDMpM-2FLXpgzBvYnGXnUOibU2YR8sPRE-2FoPHFza-2Fw01eQ45phCwYix9qckBwiXG0HXQmAbfGqimPLouUL92q8izxx4IU5EnAunMVPc46qKMPXhEF7g-3D-3D	Get hash	malicious	Unknown	Browse	199.232.214.172
	QN1BkRVd.eml	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://na2.docusign.net/Signing/EmailStart.aspx?a=c6104538-ac3b-4407-b24b-a0b641ee4589&etti=24&acct=7853161b-6814-4528-85bc-ffe96cfca42f&er=09ab18a7-8de5-4c92-931d-cb9cd9f7b00d	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.canva.com/design/DAGUUU-VdiI/DdL4Z-_loK4X7NMMbGGnJg/view?utm_content=DAGUUU-VdiI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	199.232.214.172
	Windows-StandardCollector-x64.exe	Get hash	malicious	Codoso Ghost	Browse	199.232.210.172
	Payment for outstanding statements.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	ATT25322.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://app.pandadoc.com/document/v2?token=69b8ae0059c2551a9a27ed1b65653c1a0b5ee1ff	Get hash	malicious	Unknown	Browse	199.232.214.172

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.4494683590191086
Encrypted:	false
SSDEEP:	6:kKUsK8B3JFN+SkQlPlEGYRMY9z+s3Ql2DUevat:8rIckPlE99SCQl2DUevat
MD5:	37283C47053B3FCD31D23DCE5101804D
SHA1:	80256E9CDBA78D84F5ACF112F2A608E5067F3F74
SHA-256:	74C2BB5DDA0E3B87C170776221BBB0451CFED46B853B7251E97DECE2C91F2D63
SHA-512:	0657099C762C95ED34CF2DA65860D9D76DBF95F4ABE001BBDCED4D8BB2C7022AC048C493CE749BB3C063ED826A62FD275A5F856A11FCE1C96122453FB23F27B5
Malicious:	false
Reputation:	low
Preview:	p...... .........?..R&..(...............................................9p,.VZ.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior

Process:	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	175027
Entropy (8bit):	5.293168411531623
Encrypted:	false
SSDEEP:	1536:Ci2XPRAqFbz41gwErLe7HW8QM/hMdcAZl1p5ihs7gXXSEIJROdYgo:yHe7HW8QM/FXfZfo
MD5:	28C1AFF0B55A3D9EE0F785F6B22F2742
SHA1:	852EEE988D4FCA63EBE38EE5259AC874AB9B16CE
SHA-256:	49A4807F2797EEDE23E2B24CD3EE991396F81CF4C199B5E31D9CC63B846534C8
SHA-512:	42CBA2176B28299CD064F6F28307A3D9F54188B8B08DCF5C8EFAE189D7683149D900E2CCED67672B1C7AAF668E3F8930D9B5081B3D118E422568328229BBD73F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-24T20:25:57">.. Build: 16.0.18209.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

File type:	RFC 822 mail, ASCII text, with CRLF line terminators
Entropy (8bit):	5.957411526186627
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	(No subject) (91).eml
File size:	8'645 bytes
MD5:	efb174e1f0f5b73ab950ab361960ea50
SHA1:	6757a77fad6b662c487a08654862f804a7304f04
SHA256:	2e1c79b2e09a2c9f1cd2df545a2a4b1ae62939c34db1fc0bea633c5e0cfca773
SHA512:	4e15be39a4004c964e66a6fa4f526d6621037ccd9e7441593fa21e9eb9dadd7f22748b0262bd17e77bac688f750f912170f493b7da9583e2dc31f9b139ffa78e
SSDEEP:	192:323y15wr/hvg5kZGC0Im7ul/CTkHv7yZM8ra0Fuj4r94THi:miEbd0R0AWKM8uiuEJt
TLSH:	7402F84E4EF9843649D022CD1D60FE0751931AAAE677E4E23EBCC267120B8EE5F4954B
File Content Preview:	Received: from MW4PR09MB9172.namprd09.prod.outlook.com (2603:10b6:303:1e6::9).. by SJ0PR09MB11062.namprd09.prod.outlook.com with HTTPS; Thu, 24 Oct 2024.. 17:34:16 +0000..Received: from CY5PR09CA0027.namprd09.prod.outlook.com (2603:10b6:930:1::29).. by MW

Subject:	DD Option
From:	Elycia Thomas Knight <aviso@cromex.net>
To:	nnader@santaclaraca.gov
Cc:
BCC:
Date:	Thu, 24 Oct 2024 12:34:12 -0500
Communications:	[You don't often get email from aviso@cromex.net. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hi Nadine, I need to fill in my new checking deposit details before the upcoming payroll. What specifics do you require? Best Regards, Elycia Thomas Knight Project Manager, Priority, Related (Santa Clara) City of Santa Clara CA
Attachments:

Key	Value
Received	from [::1] (port=39864 helo=ramsesmailserver.ramsesdns.com) by ramsesmailserver.ramsesdns.com with esmtpa (Exim 4.98) (envelope-from <aviso@cromex.net>) id 1t41iu-00000004lcy-48LJ for nnader@santaclaraca.gov; Thu, 24 Oct 2024 12:34:13 -0500
Authentication-Results	spf=pass (sender IP is 135.148.226.108) smtp.mailfrom=cromex.net; dkim=pass (signature was verified) header.d=cromex.net;dmarc=bestguesspass action=none header.from=cromex.net;compauth=pass reason=109
Received-SPF	Pass (protection.outlook.com: domain of cromex.net designates 135.148.226.108 as permitted sender) receiver=protection.outlook.com; client-ip=135.148.226.108; helo=ramsesmailserver.ramsesdns.com; pr=C
DKIM-Signature	v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cromex.net; s=default; h=Content-Transfer-Encoding:Content-Type:Message-ID:Subject:To: From:Date:MIME-Version:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ICjmEt6FhtWfvF4WWBECjMaBOdRt8dO2Xq4YeCokiuA=; b=OqPrTF5+GEba4hz5cgX+dus/Pp nqEAipLFr3n00TSY2JSWIGU3ySwVNXqQ4lOUIl2mBULlWf0AghNK/yeDilYLYmMLOx2VCTPlcKmp+ zXX4rbK+xL5L88v8ZlTN689DbhVBKejnxGX+RUKZDHKrFeZJbvjZTmjKE72cyZQ3WDEMtSZp6eeXj DS1LMho1InMfkPaAby4e9j14YDPyYHTEZtnaM9ub+OL9iMluGIMp68e39ANXNgZNbYqhc1cEnPTH3 AZHgaSpbfD9+cHFB9v0n6THosw6a9pzZR4oLkxyQIoTaY/otpudlopbBicQRd/pE8+1YVgOj8F9Ro g/oMrKqA==;
Date	Thu, 24 Oct 2024 12:34:12 -0500
From	Elycia Thomas Knight <aviso@cromex.net>
To	nnader@santaclaraca.gov
Subject	DD Option
User-Agent	Roundcube Webmail/1.6.9
Message-ID	<5f4883de71f1c05ae5a085677347be65@cromex.net>
X-Sender	aviso@cromex.net
Content-Type	text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding	quoted-printable
X-AntiAbuse	Sender Address Domain - cromex.net
X-Get-Message-Sender-Via	ramsesmailserver.ramsesdns.com: authenticated_id: aviso@cromex.net
X-Authenticated-Sender	ramsesmailserver.ramsesdns.com: aviso@cromex.net
X-Source
X-Source-Args
X-Source-Dir
Return-Path	aviso@cromex.net
X-MS-Exchange-Organization-ExpirationStartTime	24 Oct 2024 17:34:13.3224 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	ee3cdd85-fdfd-4709-8ced-08dcf452139b
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	28ea3548-1069-4e81-aa0b-6e4b3271a5cb:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	BL02EPF0001B418:EE_\|MW4PR09MB9172:EE_\|SJ0PR09MB11062:EE_
X-MS-Exchange-Organization-AuthSource	BL02EPF0001B418.namprd09.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Office365-Filtering-Correlation-Id	ee3cdd85-fdfd-4709-8ced-08dcf452139b
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-MS-Exchange-Organization-SCL	1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|43540500003;
X-Forefront-Antispam-Report	CIP:135.148.226.108;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:ramsesmailserver.ramsesdns.com;PTR:ip108.ip-135-148-226.us;CAT:NONE;SFTY:9.25;SFS:(13230040)(43540500003);DIR:INB;SFTY:9.25;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	24 Oct 2024 17:34:13.2755 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id	ee3cdd85-fdfd-4709-8ced-08dcf452139b
X-MS-Exchange-CrossTenant-Id	28ea3548-1069-4e81-aa0b-6e4b3271a5cb
X-MS-Exchange-CrossTenant-AuthSource	BL02EPF0001B418.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped	MW4PR09MB9172
X-MS-Exchange-Transport-EndToEndLatency	00:00:03.5325205
X-MS-Exchange-Processed-By-BccFoldering	15.20.8093.014
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	pvKguFaIbsnhB29a85zZBvOrOc1TRTYKVPaAN8zz77AYAYlXkYYugSXNSD7twmDbbbZMjwcnQag5szGCiCqiau6Tn4+tqYdb6w6AdonwqlLRbRhIOEXxxquZLN0B4Ml7gKyl43ckwYdom+0BkOSnG6wE66k2oEzDtOX3hHum7IE1ExPSOXFMFI9uNbYUIo/Y+5XVvwQILP5Ax8QLMusvK2Vax9zSLQTb+R5TI3EfXBLZHlGs8XnGHU0CV6Duu2J0u/3tsF2RTaUXh67uy1YEdbkpDvIoK2hhPNoJFEtAeWo1TkvSqeKC/lLkqyn6htXHDCH0q9cmMA6XozlkuK9UI9cgVZY3BdVc8GDLj/0VP+r8SfI70KAPb6p4KSs1bqwOT574Mv3ApVqg+Y9odonfaA9g8vADOqhseW/5O87vc029IdZ7tpwJFn9J93xrAA0vZNTU8gHKsVDch6yNa8/b85nG6I4PycFDhYEmVsR0rpLpHJOQ6KPbmd9ErKWhA+aXXIqLe49TQUg2DkzBD23uukLa/hK9bTo1pPQaF2ou+E0wDkudAsIJ5AHGGV4eMVraPNdZVL7MQPZlfMoTuAWX31f/3XvmQ3+Ch1igU8XabPegmPInZ3uladRhsf6DW/a68sF7NCChNBrsJd5MLYJUZ9t2iE+TgTZHgiW5FnebiwZzfX4QbYZXqLGx8VO342U9HI1hM5SUu0rYaJca6XzeyhBaPS2uqf6hrQgqS0JQUwEd6qrVW22cHSwtEZU+pI7GRjAzaROoU0oziESKd9nN+4JdkGP1u8uWv7+AON3GM2qX9B3MBFF9sIj8rzSGZzhZ43jX961mMlajz9YHp2YPSbqDHUa8lVYPpt9jVKWcQi3jvs91oORHML4U0P1WVvJt91by73dUfDBw8GAb1GeSjPf7l4+DAGc3miZB33K/0Ws/iwHDLOpfBgvJWBWEGm3/1IDvetY1EVaCqj7Qtgm+CfmO6VCDwf1ZdXW6TNcwQBFuB6xJL8Pw7O8JQO8A4VnSp7vPYRi46uYGXzAGRvRBcK8XZyXGMl8EJZysR6K+NJ+wRK5W2hukjDcTo7mMbqu1gKC7YY4lrjGRsGRj+OEfQksAwBTZbs6lWFiyrMqdUp8vRfvutEv+YYEILJcxErZHOmXOa035Hjvt4OTDCQOzvkYKCXqKP4dv30td8CAXgpolVwdCRZFf94f4Hn86htX/ZxGyAPU9CZf85DZn28LSDe2WWvBuakniw37NoAvvLCcErM7vrHtz5C/TweED6Mu5nkxRHHiImx73qv6KvNAT3lcDMub0fRtA21hHeoNb8JHgg31vUfP4afZ8hf/zIfSo429vPkXLw8tes6e+sI8F1412GzDmTrATifKqfZLTf9vhWCF8H/Pzst1bXHXXFBim0ewMDo+5MwSzF1gedCPtFeFTdtEWkSZHcJEEYQmNeue+YImGmW7yTYsilPI+jtRKm8+D67Q+AtmzMfbz1MV0+KjzyoDAVyaiM8WDfuV4DSnss6LTy7Oby+seAxxPpAc53xaw0VKnUCZkkAVYY1OXdkxQMUWbspV77GOMJrgZzbelnrwTCfOj/2yapD8ELn003ea7y9OYfurQTZsVBokx1/kf+S4FbpgAj//ocCr17kVsXTzLtvHfVrM9YcD4c5rQgFzOdi0u+ROx/8oEBgfLD2BNX6kM+Ptz7mRtM2pswj7nGbYLcCku8sAXBRovXcQA07IDJukbp6rTQVc8cgCVIAQFFQ6CwU4y+uUsC8DzeRHwptu+xEb4TGERZywRtix7Sq1ZR1hEMpSvIVYJ9Cv4viedMmIE+qqv6783BcVjoGyDMnn8jdyn3FjJ8xd5sK9CUYp5layC1UrJBWnadVDV+djmWCaKVs4EWwjx0m7etU0ShzvgJRGnZtUdYObUMTudoYHl2YF06NA1utRIMJC++tWbCnFtuhRvmFBkz4FvvO70Cem++6OreasubirVhojQ8e33xX8wk3W0mONlcvBR9D1TgNpaPTFyk7uldD7U1WkBBviTYsk4AlcT8Maj0c6xVvfr+TjAV4/rnUbBjWky5QtG/4g0VnZEpByQFvN+P6g=
MIME-Version	1.0

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 22:25:46.314234018 CEST	1.1.1.1	192.168.2.18	0x8fd6	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 24, 2024 22:25:46.314234018 CEST	1.1.1.1	192.168.2.18	0x8fd6	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:25:42
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\(No subject) (91).eml"
Imagebase:	0x5a0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	16:25:43
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C8D29D07-5E0B-4309-9B21-2D2C223BD71C" "F9248E8B-C36B-4A38-B94D-97D9F1873580" "6460" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff7d3b10000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	16:25:53
Start date:	24/10/2024
Path:	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca
Imagebase:	0x7ff6cbeb0000
File size:	2'486'784 bytes
MD5 hash:	6F8EAC2C377C8F16D91CB5AC8B8DBF5F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	11
Start time:	16:25:58
Start date:	24/10/2024
Path:	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca
Imagebase:	0x7ff7d27f0000
File size:	274'432 bytes
MD5 hash:	6FEB00C9A2C3FF66230658B3012BAB6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report (No subject) (91).eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\AppData\Local\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8095E2CC-07E8-49AD-AF2A-4FECF10FF61C

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxAccountsAlwaysOnLog.etl

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxmAlwaysOnLog.etl

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729801542873750200_FCB8E314-5706-4211-BDB3-A6A9C8D05545.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729801542874552000_FCB8E314-5706-4211-BDB3-A6A9C8D05545.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T1625420668-6460.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

DNS Answers

Windows Analysis Report
(No subject) (91).eml