Edit tour

Windows Analysis Report
RFQ - The Nutrition Group Proposal Request for Innovative Project.eml

Overview

General Information

Sample name:	RFQ - The Nutrition Group Proposal Request for Innovative Project.eml
Analysis ID:	1541773
MD5:	2673d9f339fa37396f0e300af03d1d93
SHA1:	22268d1dc6c5da2bf12bf0ff90660318ec6c867a
SHA256:	ac6bf57a7c72436d59ecd0564c0b76ba97ad1b94cdc04d9d7d6d99db8c9576f8
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 6112 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\RFQ - The Nutrition Group Proposal Request for Innovative Project.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6104 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "945AFEC3-69DE-4515-88FB-0D4FAEBD45A9" "9AAE3045-8014-46AF-B03E-897A56A1FE70" "6112" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6112, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.office.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://api.scheduler.
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://app.powerbi.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://augloop.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: RFQ - The Nutrition Group Proposal Request for Innovative Project.eml	String found in binary or memory: https://bioaquatictesting-my.=
Source: RFQ - The Nutrition Group Proposal Request for Innovative Project.eml	String found in binary or memory: https://bioaquatictesting-my.shar=
Source: RFQ - The Nutrition Group Proposal Request for Innovative Project.eml	String found in binary or memory: https://bioaquatictesting-my.sharepoint.com/:f:/g/p=
Source: ~WRS{F68E0E9C-3498-41C9-8D6A-987F01A4AE14}.tmp.0.dr	String found in binary or memory: https://bioaquatictesting-my.sharepoint.com/:f:/g/personal/securedocument_bio-aquatic_com/Eu0LAzG4ab
Source: RFQ - The Nutrition Group Proposal Request for Innovative Project.eml	String found in binary or memory: https://bioaquatictesting-my.sharepoint.com/:f:=
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://canary.designerapp.
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cdn.entity.
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cortana.ai
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://cr.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://directory.services.
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ecs.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://graph.windows.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://invites.office.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://login.windows.local
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://management.azure.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://management.azure.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://mss.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://outlook.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://service.powerapps.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://substrate.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://tasks.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winEML@3/13@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241025T0006270316-6112.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\RFQ - The Nutrition Group Proposal Request for Innovative Project.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "945AFEC3-69DE-4515-88FB-0D4FAEBD45A9" "9AAE3045-8014-46AF-B03E-897A56A1FE70" "6112" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "945AFEC3-69DE-4515-88FB-0D4FAEBD45A9" "9AAE3045-8014-46AF-B03E-897A56A1FE70" "6112" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The email contains suspicious links to a SharePoint site not associated with the claimed company domain

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe
https://api.office.net	0%	URL Reputation	safe
https://incidents.diagnosticssdf.office.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/android/policies	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://bioaquatictesting-my.=	RFQ - The Nutrition Group Proposal Request for Innovative Project.eml	false		unknown
https://designerapp.azurewebsites.net	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false		unknown
https://store.office.cn/addinstemplate	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false		unknown
https://bioaquatictesting-my.sharepoint.com/:f:/g/personal/securedocument_bio-aquatic_com/Eu0LAzG4ab	~WRS{F68E0E9C-3498-41C9-8D6A-987F01A4AE14}.tmp.0.dr	false		unknown
https://globaldisco.crm.dynamics.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://mss.office.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://api.office.net	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	5492FAE0-CF5E-4299-B781-D09E980A1AFC.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541773
Start date and time:	2024-10-25 06:05:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ - The Nutrition Group Proposal Request for Innovative Project.eml
Detection:	SUS
Classification:	sus21.winEML@3/13@0/0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 52.111.231.23, 52.111.231.26, 52.111.231.25, 52.111.231.24, 20.42.65.84
Excluded domains from analysis (whitelisted): ecs.office.com, otelrules.azureedge.net, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, neu-azsc-config.officeapps.live.com, nleditor.osi.office.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, onedscolprdeus02.eastus.cloudapp.azure.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: RFQ - The Nutrition Group Proposal Request for Innovative Project.eml

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.388480711886487
Encrypted:	false
SSDEEP:	3072:AEg982Q6ypGgIymiGu2kCDlqoQBgrt0Fv8OauLmy41aJPz:A98l6ypmymi2kCDInEOrLmy41aJ7
MD5:	579E19C6500B7E67C36507A8AA9B837D
SHA1:	4BAC28BB75865449324982735A1DF292A5294D4F
SHA-256:	C25587DE2DE6CFD5E6709E7E68F3AC7EFE42D22B25D29853DF5AE172DC13A00D
SHA-512:	FD7B1C60F697886341A34075E68774189503BAF85E5B10A9DA5937330729E872AFEC543B8E743C3AEB413B69795F104B7EC7482975F0F153AEBC58D4614D4A2C
Malicious:	false
Reputation:	low
Preview:	TH02...... ...6.&......SM01X...,....9.6.&..........IPM.Activity...........h...............h............H..hl..........+...h.........@..H..h\alf ...AppD...h....0.........h...B...........h........_`.j...h...B@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. hw..\.........#h....8.........$h.@......8....."h..............'h..............1h...B<.........0h....4.....j../h....h......jH..h....p...l.....-h .............+h...B....`................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
Category:	dropped
Size (bytes):	1869
Entropy (8bit):	5.092663064216184
Encrypted:	false
SSDEEP:	48:cGsNdypdSyrvnzy7SymJdy+dydASyNdyrwnzyrMdnzyDkSyrXnzyO:0NEpdbT27bwE+EdAbNEs2Yd2IbT2O
MD5:	8D47DE1E817429F79B4761C5BE75B750
SHA1:	6C01AE2B3FE8876630BB3A8D69D236821CED5EA0
SHA-256:	CCC0266CC347399E242AF8FC75D6162D158752481443CA599C9C2757BC4AF7EF
SHA-512:	E910F288F12512B21A0C28FE9FAC49525BCB93DF7D6BE86D40CB76A6E40486A75D0264E5A316D9D1EBB45CFC555FC70CFCDBA61327B33CFF9E1061A40DC64419
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos_26215680</Id><LAT>2024-10-25T04:06:29Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_26215424</Id><LAT>2023-10-04T14:08:57Z</LAT><key>31558910439.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2023-10-04T14:08:57Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-04T14:08:57Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos_26215682</Id><LAT>2023-10-04T14:08:57Z</LAT><key>31169036496.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos_45876480</Id><LAT>2023-10-04T14:08:57Z</LAT><key>27160079615.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876226<

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5492FAE0-CF5E-4299-B781-D09E980A1AFC

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	178267
Entropy (8bit):	5.290279100809564
Encrypted:	false
SSDEEP:	1536:Ni2XfRAqFbH41gwEwLe7HW8QM/o/NMdcAZl1p5ihs7EXXDEAD2Odago:rCe7HW8QM/o/TXgk9o
MD5:	5B7751B7D2C2E1DE653859C01EAC180C
SHA1:	F89A07B0CAFABD228D82583708C24BB68FB641E2
SHA-256:	3FC7E96899F62A2F367319C4652BEA30B99C48CB81CD8DAAAA36FCED0954567D
SHA-512:	82B5CDDA13560F09E5F14D6AFC0366E691F4A4977936A8001C97D69D5DC8AB6F84AD456E45B6E42337486FBA55E1393E730AA5364AA5842248B202FE9CAD4AA9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-25T04:06:30">.. Build: 16.0.18209.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04497712130921007
Encrypted:	false
SSDEEP:	3:Gtlxtjlp5Tducmo3HYlltlxtjlp5TducmovllR9//8l1lvlll1lllwlvlllglbep:GtRTmoo/tRTmol9X01PH4l942wU
MD5:	C4BEC0F7F636F6B8714FE88B614AC68F
SHA1:	07C8C0B22D85AF9395B091B37D63709E4849298B
SHA-256:	CE2E00890D2499EE73093AF875E97CA16240028F71D256A91D4749822C3C9719
SHA-512:	C2A5FD7FEBDAA7E94F06ADDDAE0F6E4D9C5DA0321DF854546C01665986D0B27E2BA67BF35F92D52C13DBB1303322094CF7C40674F8635B967B663260B53DF9D7
Malicious:	false
Preview:	..-.........................Cfe..@...5..FyI..2..-.........................Cfe..@...5..FyI..2........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.48383348551136185
Encrypted:	false
SSDEEP:	48:yDQ1BtAUll7DYMfzO8VFDYMzBO8VFDYML:hHhll4YjVGajVGC
MD5:	C3C4C6C95EB0C178B963E704C2FDD7A0
SHA1:	72E73761A3CD92280A404EB84953A42962C83C6B
SHA-256:	C11DBA42C0A6270191930B759DC3A391C527BD199D26CA4737CCCE212B4505FD
SHA-512:	1224AEB04608EE575559E3F8A03BFBF93AA7DA9BD39B9714DAECA06F55AF48E888F11C22223FDB65772491ED4D44A2F12956443BFBABFDAC5F0A5886B3CD4148
Malicious:	false
Preview:	7....-...........@...5...C..............@...5..:.....;SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F68E0E9C-3498-41C9-8D6A-987F01A4AE14}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	3656
Entropy (8bit):	3.3613594997430387
Encrypted:	false
SSDEEP:	48:iLpxEicBUkgJCc/a9IGOYEX7L24orJf3zpBYL24orJ33LJoZzLORA:i5cS7CcWIGWu1fjp13bJoZzr
MD5:	1B4AC5EA574F9DFFD555A5715F0308E5
SHA1:	78C1F32ADC90671154D862D2B3226E88A2F76BE6
SHA-256:	6119D7ABA10AB9B9B81743B82F40FF8111D40DCB77FFFC4302C3484F6726DF4B
SHA-512:	77CD5A49C6E48FC462B83DFAA1CF133E2957FC8C2F4928798F30F5CB966F7D990CEB5FE3D2DEF09B46E22A33A0B97AAD2220E88A5D6AB255386A603B81C6DA1B
Malicious:	false
Preview:	....T.h.e. .N.u.t.r.i.t.i.o.n. .G.r.o.u.p...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................b...D...................\|..................................................................................................................................................................................................................................................................................................................................................................................................................................-D..9D..M............[$.\

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729829187808742200_E6762EB4-7FF3-4CAF-B3AE-C1A02C46ABA1.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28753), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.17792554743084069
Encrypted:	false
SSDEEP:	1536:Se4oFTZcTDvoGeRPCfyTRxx87HroFWt02WjCZoARzRs7+ZgjCic/PBs:DTO/oGQBGB+c
MD5:	14F28D9F0A5C749F388BF79EF39EF679
SHA1:	36902E93CB06882CB242D329A92023847E35239D
SHA-256:	60034EE2CB596EAF826215B825CC200F7B8E92A9CFA1F0D01365C19AFC90209C
SHA-512:	CFC52F1E447FA7DE6A9B4B2DEB478563D7AB066D97D06C03CAAEBDA3057A6B68C20EAAF6F58B2EC85F7E3C62CB7D2F2E664C3B75C03FCA05A266A7D2FEE2C322
Malicious:	false
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/25/2024 04:06:27.909.OUTLOOK (0x17E0).0xA8C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-25T04:06:27.909Z","Contract":"Office.System.Activity","Activity.CV":"tC525vN/r0yzrsGgLEaroQ.4.9","Activity.Duration":14,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/25/2024 04:06:27.925.OUTLOOK (0x17E0).0xA8C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-10-25T04:06:27.925Z","Contract":"Office.System.Activity","Activity.CV":"tC525vN/r0yzrsGgLEaroQ.4.10","Activity.Duration":15733,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729829187810314700_E6762EB4-7FF3-4CAF-B3AE-C1A02C46ABA1.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241025T0006270316-6112.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	4.496596023569509
Encrypted:	false
SSDEEP:	768:gTbm3oFechnuf/7kY/teEi4sbE9+CvuaX9PyjWsWSWvW7PCtDff:UxAA4sI9+CvjXF8s
MD5:	9FF56824C665CBBD08EC21D3004C99A1
SHA1:	DEAC4B0076DC02BE1222D820F6572835D8759A20
SHA-256:	ABA94C0E8E5E1C99508E426A0E520E1AED5608B82F4AD6B1B66187DAB121F2CF
SHA-512:	D45CA3B23EBE8BC19711C33942954464084F71F3E54586E3D3272231BAC071290842105304F8C9C0CC50A5F20169B2BC31641CD2D98874DECD8327121B71B6A0
Malicious:	false
Preview:	............................................................................d...........(..C.&..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`-.m............(..C.&..........v.2._.O.U.T.L.O.O.K.:.1.7.e.0.:.2.c.f.1.6.5.4.8.6.e.1.2.4.a.b.4.a.a.d.b.9.c.0.b.f.6.5.9.b.8.9.4...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.2.5.T.0.0.0.6.2.7.0.3.1.6.-.6.1.1.2...e.t.l...........P.P............C.&..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:4Kh/X:4K
MD5:	16F8F4D4D4475898869D042C41D689E9
SHA1:	428212FB0F2EAA5FF0442654E658E8D5C5D523C0
SHA-256:	96906CDDD9C83D84CC7B12A50B5F617E8CD7EE9CE4E62E2B49DE491BF0EBC6F5
SHA-512:	10430007B0C93A58FA672104695D4F3582945143A568721C28AE20F908830C7CF8B075A43A0CEE5F2A8D5F16569AF8A1524D7D1815EA3F4DE81E7C51F53C6877
Malicious:	false
Preview:	....OV........................

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	2.836591668108979
Encrypted:	false
SSDEEP:	3:QETlbol9:QEiv
MD5:	5FFBAD261CA1D087BDEA2DAA185561A0
SHA1:	A961E6EBC140F64BC9CBD47EB820DF77764969AB
SHA-256:	2FFE94EBE8D67CD72EE7F1D088DA8AC1B6BA2EBAB80463CC38AC10617ADF933B
SHA-512:	DE56BFA3EF7EB40E7D40CCEC2A99795CEEEB708F7D2E47520A6F82AAC3A72D69F4887BF3C515FB0C0136AF6D04DC90E4CBF4A704E13561EC3171373ABAE1D73A
Malicious:	false
Preview:	..a.l.f.o.n.s.....

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	2.1128272795167584
Encrypted:	false
SSDEEP:	1536:sTmigX36K+mXB3OhZvuqrDDdW53jEpEHP4qQ10PAwrn5PDOxW53jEpEHP4qQ10P1:ImtyYWLp945K/p9
MD5:	E27E365F9F96733FD25DAA4EB7D44E28
SHA1:	4508083A4E8853D9C1C3474754469E3233084D5D
SHA-256:	7286F94B6C6440BBB6E68A410AC423ED235BEDBD7255A9519B92D6BED6DB388B
SHA-512:	AD9FB1E2D73116F45B5C8F675C621D9D43A1BC779D3B93643EFE2CA2378AC6CC4851FD90149EC40BBE46AD7364C05549CDCA1B88E368656E0D9358010C0D59D2
Malicious:	true
Preview:	!BDN..6.SM......\...aS..................Y................@...........@...@...................................@...........................................................................$.......D......@........................z...............r..................................................................................................................................................................................................................................................................................D........Q._R.!.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	1.6371617371224765
Encrypted:	false
SSDEEP:	768:6W53amEpAHRHP4qQ10PAwr1dTnfOrx71ed6IlOTbPwIdwLlT:6W53jEpEHP4qQ10PAwr1dDOux6YIwxT
MD5:	7ED640C37A3E4BEF51926ECF5C55B6D4
SHA1:	56F0EA9E40681C75BC4C35405DF81965483E3096
SHA-256:	2C93838CBBAA9B331E63F80C560E093989CE42E0051DE24535D9041139B17D78
SHA-512:	A6DF67CE43E59C6D131E28343D0234415D1E96B7E755116EF88AB58C54D358FB8DBFCACE963C9410152ED18144DDF31459580E48372D741E78D936907D213FA0
Malicious:	true
Preview:	...20...k............J.A.&.......D............#............................................................................................................................................................................?.........................................................................................................................................................................................................................................................................................................................................j...D......BG.v0...l............J.A.&.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	news or mail, ASCII text, with CRLF line terminators
Entropy (8bit):	5.535608222267061
TrID:	E-Mail message (Var. 2) (17506/1) 100.00%
File name:	RFQ - The Nutrition Group Proposal Request for Innovative Project.eml
File size:	8'233 bytes
MD5:	2673d9f339fa37396f0e300af03d1d93
SHA1:	22268d1dc6c5da2bf12bf0ff90660318ec6c867a
SHA256:	ac6bf57a7c72436d59ecd0564c0b76ba97ad1b94cdc04d9d7d6d99db8c9576f8
SHA512:	4cf51c6068abf152403dce8c9e60ad2fc88e6431f6634ee1c69c7ab082c6907ff5c979495d3f74cc8c57fe9dda39863690140a057dee7dab34520b2a8846bd24
SSDEEP:	192:kWMBDyQ2EfobKRX/RqPUBPiPWPiQpwPiL0PiMPiu:x7lbKRX/RCtPZIPLbju
TLSH:	4002D526C58A08A702B7D1F4E07BAB0591340D8ED79746B074AF33F65ECA865339B34D
File Content Preview:	From: Salem City Tammy Graham <salemcity@thenutritiongroup.biz>..To: Salem City Tammy Graham <salemcity@thenutritiongroup.biz>..Subject: RFQ - The Nutrition Group Proposal Request for Innovative Project..Thread-Topic: RFQ - The Nutrition Group Proposal Re

Static Mail

General

Subject:	RFQ - The Nutrition Group Proposal Request for Innovative Project
From:	Salem City Tammy Graham <salemcity@thenutritiongroup.biz>
To:	Salem City Tammy Graham <salemcity@thenutritiongroup.biz>
Cc:
BCC:
Date:	Wed, 23 Oct 2024 14:34:46 +0000
Communications:	The Nutrition Group is pleased to announce a Request for Quotation (RFQ) for our latest innovative project. We invite you to submit your proposal and confirm your availability for the specified scope of work. If you have any questions, feel free to reach out. RFQ: #RFQ-525 TNG-INC-3<https://bioaquatictesting-my.sharepoint.com/:f:/g/personal/securedocument_bio-aquatic_com/Eu0LAzG4abJJn1FmlYYk6C0Bm-68IB0eiVR_FSTw6lLEjw?e=pg8DKY> Please be aware that the submission deadline for this RFQ is Friday, October 25th, 2024, at 3:00 PM. To confirm receipt of RFQ: #RFQ-525 TNG-INC-3<https://bioaquatictesting-my.sharepoint.com/:f:/g/personal/securedocument_bio-aquatic_com/Eu0LAzG4abJJn1FmlYYk6C0Bm-68IB0eiVR_FSTw6lLEjw?e=pg8DKY> Please reply to this email for further instructions. Thank you! Tammy Graham, CDM, CFPP Director of Food & Nutrition The Nutrition Group/Salem City Schools (540)520-9502/salemcity@thenutritiongroup.biz<mailto:520-9582/salemcity@thenutritiongroup.biz>
Attachments:

Headers

Key	Value
From	Salem City Tammy Graham <salemcity@thenutritiongroup.biz>
To	Salem City Tammy Graham <salemcity@thenutritiongroup.biz>
Subject	RFQ - The Nutrition Group Proposal Request for Innovative Project
Thread-Topic	RFQ - The Nutrition Group Proposal Request for Innovative Project
Thread-Index	AdslWJ5aFkTNJvz+SNmRbhEid4qATg==
Importance	high
X-Priority	1
Date	Wed, 23 Oct 2024 14:34:46 +0000
Message-ID	<SA0PR01MB6185DE1A1E8F9FAFDE8C27D4BA4D2@SA0PR01MB6185.prod.exchangelabs.com>
Content-Language	en-US
X-MS-Has-Attach
X-MS-Exchange-Organization-SCL	-1
X-MS-TNEF-Correlator
X-MS-Exchange-Organization-RecordReviewCfmType	0
x-ms-exchange-organization-originalclientipaddress	20.218.123.222
x-ms-exchange-organization-originalserveripaddress	2603:10b6:806:d9::23
Content-Type	multipart/alternative; boundary="_000_SA0PR01MB6185DE1A1E8F9FAFDE8C27D4BA4D2SA0PR01MB6185prod_"
MIME-Version	1.0

File Icon


Icon Hash:	46070c0a8e0c67d6

Target ID:	0
Start time:	00:06:24
Start date:	25/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\RFQ - The Nutrition Group Proposal Request for Innovative Project.eml"
Imagebase:	0xb10000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	00:06:29
Start date:	25/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "945AFEC3-69DE-4515-88FB-0D4FAEBD45A9" "9AAE3045-8014-46AF-B03E-897A56A1FE70" "6112" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff67fb50000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ - The Nutrition Group Proposal Request for Innovative Project.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5492FAE0-CF5E-4299-B781-D09E980A1AFC

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F68E0E9C-3498-41C9-8D6A-987F01A4AE14}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729829187808742200_E6762EB4-7FF3-4CAF-B3AE-C1A02C46ABA1.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729829187810314700_E6762EB4-7FF3-4CAF-B3AE-C1A02C46ABA1.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241025T0006270316-6112.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: OUTLOOK.EXEPID: 6112, Parent PID: 1028

Windows Analysis Report
RFQ - The Nutrition Group Proposal Request for Innovative Project.eml