Edit tour

Windows Analysis Report
abbd0ee5-ed71-c47d-8792-e2f9cc5a4f73.eml

Overview

General Information

Sample name:	abbd0ee5-ed71-c47d-8792-e2f9cc5a4f73.eml
Analysis ID:	1541907
MD5:	a4038facb833b1205b7e7ee53998fff1
SHA1:	bcb23ee1ad68a2435155d20a4a9acca813d1ffe4
SHA256:	a2f65ea2203c8a81195949497a1af108a2bb4bced3bb6ab0920b2d067e9bd1d0
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 7380 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\abbd0ee5-ed71-c47d-8792-e2f9cc5a4f73.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7724 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6AA7DFDC-C414-4D7D-9119-B8A66CE06D77" "E11B4C08-1EDF-4E75-92F3-39F3D029FFE2" "7380" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7380, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.office.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://api.scheduler.
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://app.powerbi.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://augloop.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://canary.designerapp.
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cdn.entity.
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cortana.ai
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://cr.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://directory.services.
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ecs.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://graph.windows.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://invites.office.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://login.windows.local
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://management.azure.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://management.azure.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://mss.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://outlook.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://service.powerapps.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://substrate.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://tasks.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 203706D8-43DC-4071-94EE-639932565B06.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winEML@3/10@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241025T0400550873-7380.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\abbd0ee5-ed71-c47d-8792-e2f9cc5a4f73.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6AA7DFDC-C414-4D7D-9119-B8A66CE06D77" "E11B4C08-1EDF-4E75-92F3-39F3D029FFE2" "7380" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6AA7DFDC-C414-4D7D-9119-B8A66CE06D77" "E11B4C08-1EDF-4E75-92F3-39F3D029FFE2" "7380" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The email contains a suspicious link that redirects through a URL shortener, which is a common phishing tactic.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe
https://api.office.net	0%	URL Reputation	safe
https://incidents.diagnosticssdf.office.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/android/policies	0%	URL Reputation	safe
https://entitlement.diagnostics.office.com	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://designerapp.azurewebsites.net	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	203706D8-43DC-4071-94EE-639932565B06.0.dr	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	203706D8-43DC-4071-94EE-639932565B06.0.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false		unknown
https://store.office.cn/addinstemplate	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	203706D8-43DC-4071-94EE-639932565B06.0.dr	false		unknown
https://globaldisco.crm.dynamics.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	203706D8-43DC-4071-94EE-639932565B06.0.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	203706D8-43DC-4071-94EE-639932565B06.0.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://mss.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://api.office.net	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnostics.office.com	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	203706D8-43DC-4071-94EE-639932565B06.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541907
Start date and time:	2024-10-25 09:59:45 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	abbd0ee5-ed71-c47d-8792-e2f9cc5a4f73.eml
Detection:	SUS
Classification:	sus21.winEML@3/10@0/0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 13.69.239.77
Excluded domains from analysis (whitelisted): ecs.office.com, otelrules.azureedge.net, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, weu-azsc-config.officeapps.live.com, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, onedscolprdneu09.northeurope.cloudapp.azure.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: abbd0ee5-ed71-c47d-8792-e2f9cc5a4f73.eml

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.386515258590074
Encrypted:	false
SSDEEP:	1536:+OYLxfgskq+6ZFZp+gsWLNcAz79ysQqt2obgFqoQEDrcm0FvzicyPb8FQZ+wcFvd:uRgcXigHmiGu2pqoQQrt0FvuYqCDiHQX
MD5:	1ED2C47AFEB780373F516A518AE55E13
SHA1:	162EA7ED0D0FDB54C67F535BCCDBA590EE843CFF
SHA-256:	C74EE234F8D49CB1A91B9E7CB4AC4676A98902951D70DA987FC22C061577D621
SHA-512:	5AA95DB34CAF0AAC2F432F00E11F307F6029702ED7E7C99321AA2EF9919486CFD7D93BE15BD38C17C79DBFB542B984520F71C9BD4A11394309192FF6021B14C5
Malicious:	false
Reputation:	low
Preview:	TH02...... ......&......SM01X...,........&..........IPM.Activity...........h...............h............H..hL.w........X...h........x...H..h\alf ...AppD...h(..0.....w....h..Z3...........h........_`.j...hw.Z3@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. h...D......w...#h....8.........$hx.......8....."hH.......X.....'h..............1h..Z3<.........0h....4.....j../h....h......jH..h@...p...L.w...-h ........w...+h3.Z3....@.w................. ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\203706D8-43DC-4071-94EE-639932565B06

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	178267
Entropy (8bit):	5.290292375467375
Encrypted:	false
SSDEEP:	1536:wi2XfRAqFbH41gwEwLe7HW8QM/o/NMdcAZl1p5ihs7EXXDEAD2Odago:CCe7HW8QM/o/TXgk9o
MD5:	6A6F5A606A360D60003FC9AB65156F50
SHA1:	71B26197615FDC46B77F1A1DFF57C5F53C718FAD
SHA-256:	2ECC86D4B8C364548423A8A9CD481590CB35F7AAC2DFAD0A363FF488C7CB3D3B
SHA-512:	69DF86EAD1CB46E4000D273C1AD631DBF3028419715233C3292BADE77480E50E391FBFDB5E70D909459DBFE847E771D857EDEA40BF105217A45E61355BC58137
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-25T08:00:59">.. Build: 16.0.18209.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.045461036493883875
Encrypted:	false
SSDEEP:	3:Gtlxtjlax+kF3xull3lxtjlax+kF3xuiR9//8l1lvlll1lllwlvlllglbelDbllb:GtOEll3OEE9X01PH4l942wU
MD5:	1E7DC8D1E2DCC037B4D7695ADEA589CE
SHA1:	77AEA4A796BD2975B2AFD51525FAFF1E73AE4A52
SHA-256:	91A43231AF95AE03D8D3937C4D2CCBCD1FC15BDF616933BCA9BB65D37C403DAE
SHA-512:	F1CA51FD810149A0704D70C5DAE175AE2F6E59DCE5D001E519B0A48FD4B854B0461D1E67746735A2C2469271BDC02340E44B7A0798A54F60E4B9BAFF41281F4E
Malicious:	false
Reputation:	low
Preview:	..-.......................@..tV.....}M..}Q....-.......................@..tV.....}M..}Q..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.48496821489760983
Encrypted:	false
SSDEEP:	48:vuQ1wUll7DYMoHzO8VFDYMZ8BO8VFDYML:h5ll4FjVGnjVGC
MD5:	52280D29C6F099101A7B0959325C2F48
SHA1:	6146E30D2CC9A09FE60A7660B9E76B93F8275C9F
SHA-256:	1B3C3F4C64F5C92D471BB93210EA0E269C209AC886B58FB0AA3DDD169F6487C7
SHA-512:	C30230EB0BA639A98D2CD5D6EEED8057AA1EC242AD94B1E8BE5E16A54E7AB81D82AF550AC2E623F01F485098B4EED9679A70D2E34DD092BE0836DDFB63D30FEB
Malicious:	false
Reputation:	low
Preview:	7....-...............}M]...c................}M....$.."SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729843256764069700_830E9E70-663A-458E-A6FB-C8E094711F99.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28765), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.16064640468660496
Encrypted:	false
SSDEEP:	1536:+8hd1XWeTCqgrwPnsX8F7hCwiAm2w8jlw9R9B9R/zmfBBL:RXN9gr2dBkx
MD5:	2566AD8B991E830342CDC4485FBF08D5
SHA1:	0A9B8FB15EA084B15065C0A7E8F05DBB9AA29E0D
SHA-256:	AAA43C505E42F0318C654F29A1327AD2582980792A186CCBFBC9F3EC84CB6758
SHA-512:	4BBF69A0AB672CDF2BA45444464E4801D96A37E1F577B2F126D8E0E7109787EED345DA7221F3F7B4DA105B05A9E4938B79C2E6135E3F2C0DCEE9A301797CA50C
Malicious:	false
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/25/2024 08:00:56.827.OUTLOOK (0x1CD4).0x1CD8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-25T08:00:56.827Z","Contract":"Office.System.Activity","Activity.CV":"cJ4OgzpmjkWm+8jglHEfmQ.4.9","Activity.Duration":21,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/25/2024 08:00:56.842.OUTLOOK (0x1CD4).0x1CD8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-10-25T08:00:56.842Z","Contract":"Office.System.Activity","Activity.CV":"cJ4OgzpmjkWm+8jglHEfmQ.4.10","Activity.Duration":13244,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729843256765349500_830E9E70-663A-458E-A6FB-C8E094711F99.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241025T0400550873-7380.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	4.509011063265292
Encrypted:	false
SSDEEP:	768:CKFRupyQ2qEOKLe8n7Jqdc/knQDDmoHxoYa+pHEeRZ9BUjYsImkb7Dmq7IIZQ4Uk:RZIR4Ur9MA6JxxvMX6ToWv
MD5:	482CF6549585097FCD3BB0DF8488544A
SHA1:	D7A2231274D354CDFDFF30A21B056EFBB185F369
SHA-256:	7DACB87098525A17166270027680F9B7935733EE38D11FB0C34F641F8358E347
SHA-512:	97430097984EC431FE97730A8BF9B5AA3931C4D42E7CE989C99D456FBBE69B19FB22239E795E73405F80385C0BFF5E8D346501B85030E7051060755977A30525
Malicious:	false
Preview:	............................................................................d...........P....&..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................p..\|............P....&..........v.2._.O.U.T.L.O.O.K.:.1.c.d.4.:.0.c.0.f.f.a.c.2.6.7.b.d.4.1.8.4.8.3.b.8.d.c.0.d.1.e.2.3.3.d.f.0...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.2.5.T.0.4.0.0.5.5.0.8.7.3.-.7.3.8.0...e.t.l...........P.P..............&..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:q0lj:q0
MD5:	5A56DF494DC154490CCDF5497A71A8F4
SHA1:	949607419C7AE0795B23D0083C46CE840719B5BA
SHA-256:	DC770A6E7EE1FA9585C733061FEE12A1262E4593941B760689E71DFD377F76BC
SHA-512:	2A794DC21907B89BC6F1E94DF1F8236453BFF991397BE93952B3E47C2438D8AABEEBB77B90968F48EC1B99634D210A2086245E70D3FF49F9A6B58E50FC19BC23
Malicious:	false
Preview:	.....h........................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	2.8227577597099724
Encrypted:	false
SSDEEP:	1536:l+5aPXPtMhnhTpnhTkeqwvqFw3qCoyC4yfbwzlt2pnfg6Av7c4W53jEpEHP4qQ1Y:lGaPPtYX6Yxhp9aqp9
MD5:	00A778E2CD973BE060C677F61387821E
SHA1:	CB843635AD93E1AC59858F82E5570AA354D739C9
SHA-256:	69630240B7FC8760F08977F72566FC4AFB3342523244BB1535034DEB694E314D
SHA-512:	135EB287C532B86462EB3AD5470674ADDA51C0568AC9BE96C9A4F463B1887C096BEA2AE416F07B199A96DEF38600D288FB433CD52E9F275F762F9B7902226DCB
Malicious:	true
Preview:	!BDN..i.SM......\...Lf..................V................@...........@...@...................................@...........................................................................$.......D.......v.......................................~..............................................................................................................................................................................................................................................................................................]......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	3.7384534608666176
Encrypted:	false
SSDEEP:	1536:W53jEpEHP4qQ10PAwr1JSYD4y7ET2piDglCnhTpnhTk0W53jEpEHP4qQ10PAwr1U:pp9S7Z5Gp9EYn
MD5:	1666C39287121DDB5611773908596FA8
SHA1:	9F70B94F1917FDC3985AE666C020B26CBF23B359
SHA-256:	43C0BB322C89C93651EE3492D53DB7AA51A6D4F5BDB1F28D6E75D2A0D5DB899E
SHA-512:	50B95B80CE6F8F0A3C115B2E51193F39C9BB66615D92EBBE2D3109D40EED443CC73B7F1926B8CC05E3D1A58ECBD380285F5EE3C7869796BBC1B0F0F2CADB4271
Malicious:	true
Preview:	....C...p............,`..&....................#.!BDN..i.SM......\...Lf..................V................@...........@...@...................................@...........................................................................$.......D.......v.......................................~..............................................................................................................................................................................................................................................................................................]...,`..&.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, ASCII text, with very long lines (347), with CRLF line terminators
Entropy (8bit):	6.0920233439796085
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	abbd0ee5-ed71-c47d-8792-e2f9cc5a4f73.eml
File size:	22'528 bytes
MD5:	a4038facb833b1205b7e7ee53998fff1
SHA1:	bcb23ee1ad68a2435155d20a4a9acca813d1ffe4
SHA256:	a2f65ea2203c8a81195949497a1af108a2bb4bced3bb6ab0920b2d067e9bd1d0
SHA512:	0a2c5732020fb5c21bcc88fb219d31fe93c5e0a67b7a43dddd06402572c60fc67122dc242b0926ed5382f97daf02ace7540aa7b3eebe7c50a64460f790cdf6c3
SSDEEP:	384:ROkDF4k3pS3bKs58oir618dZBF4N1yMxUT/WUdFuPbhyHSixxqjzA:ROqTGKs8r6JmVuUdwXyxizA
TLSH:	6BA23B216E611032EAC151CA5811FD1723813991A8B740813EAF95BF5ACF0FFBF7689B
File Content Preview:	Received: from CW1P265MB7961.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:212::15).. by CWLP265MB2513.GBRP265.PROD.OUTLOOK.COM with HTTPS; Tue, 22 Oct 2024.. 11:11:18 +0000..ARC-Seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;.. b=vdXeCHE

Static Mail

General

Subject:
From:	accounts@tsccp.co.uk
To:	dawn.youngson@aberdeenshire.gov.uk
Cc:
BCC:
Date:	Tue, 22 Oct 2024 12:11:07 +0100
Communications:	Dear Dawn Youngson, There is an outstanding Timesheet that requires your signature. Please click on the link below to sign or reject the Timesheet in order for it to be processed. Please can you also check the hours have been split according to the agreed overtime rules (if applicable) https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.timesheetz.net%2FEtzWeb%2Fu%2Fa3fc03fa61&data=05%7C02%7Cdawn.youngson%40aberdeenshire.gov.uk%7C709132028f4f410a620308dcf28a3ef5%7Cfed993064d2d4409959dd0edb7304a0b%7C0%7C0%7C638651922790098021%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=9yE5fjQ%2F0SLpsL3C%2Fir4xEcjSbotkWp85P22sJ1Qrhg%3D&reserved=0 The payroll deadline is 12pm each Tuesday and we require your prompt assistance with signing off this timesheet to ensure the contractor is paid on time. If you do not have don't have access to ETZ or are having other difficulties, please call 0141 270 5000 or email payroll@tsccp.co.uk Many thanks for your kind assistance The Social Care Community Partnership Limited
Attachments:

Headers

Key	Value
Received	from Svc01Prod (40.115.126.94) by DB5PEPF00014B8D.mail.protection.outlook.com (10.167.8.201) with Microsoft SMTP Server id 15.20.8093.14 via Frontend Transport; Tue, 22 Oct 2024 11:11:07 +0000
ARC-Seal	i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vyP3JJOieUSBW1wizq/r1k99T8OcJdriJMleDLtsTGHctWrpcUytNL9pVV8PhTyamZ85buwRAWqAzM0tF4RZcY5w4MbOL4NytON0aVtBlDHR5ysm+V6UWxWWIz6nJMJipdb+gMfcedBx/14mchtho5GkAY2xHagPYMivF5R6je/hH5GGxHvFcb1ERcMeAbQlYikTICpzm1xhygCM966jwVF6xYdYepId/zkFWOreTD9NSAHNRdjlfYhmJ9R6AVtvI8c8tGA9XNWf113eVw5G2XdgFrn6lXFQtW9d5FGJIejL7vDu5pEuihIAt4RDu+V6SiTI8+JEksWLAIuRezxmHA==
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yFncFyQ/Hd/Fa7Qm+YIy6Hp+324R9LXGb2I1eUQWQTw=; b=LGuvTmHExYa0+wOXgl/0wkkBGwcPIc5zayQFzqtfEtJ+rNdLKbJe129QH7HDwT3Dm8eNiF8qJ/8sRelLCUHG75VryU5LftqGKvyamIAAn3tfvdVpbUYGaJPaPR4VYadQhh+8j/qQwvHtfVPRMk6Cd+AfRKxvCHU+/0siRgesupmvbiye2P1iN2gcPpfq92qwHw9lkOZcO7RqKtdU104VPc4lvXF3iqmitB/MmbANfshrwWuZZBFYtVNL0lID6Dei5KyNWnQ1P9YgDpZta4j0YKG1WLNsIhuhJ5X8FtmdwNAtEOYonWjqDA1DoXV2uhN9xRr8twn27Vjksro5CtpSdQ==
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=fail (sender ip is 40.115.126.94) smtp.rcpttodomain=aberdeenshire.gov.uk smtp.mailfrom=tsccp.co.uk; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=tsccp.co.uk; dkim=none (message not signed); arc=none (0)
Authentication-Results	spf=pass (sender IP is 40.107.21.124) smtp.mailfrom=tsccp.co.uk; dkim=pass (signature was verified) header.d=tsccp.co.uk;dmarc=pass action=none header.from=tsccp.co.uk;compauth=pass reason=100
Received-SPF	Fail (protection.outlook.com: domain of tsccp.co.uk does not designate 40.115.126.94 as permitted sender) receiver=protection.outlook.com; client-ip=40.115.126.94; helo=Svc01Prod;
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=tsccp.co.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yFncFyQ/Hd/Fa7Qm+YIy6Hp+324R9LXGb2I1eUQWQTw=; b=ahZzh0CMOigtIGVqnjz0W3ZzU4f5iNA5Xs6n/okJgfvfw/s1U3fXY/99lyhygi0CBiSQ5ZGyDSGJxzeaqFB/3/t9gNEtaOC2s/0wRosCAJ6JDabYOCUSKPJf63sMoqiTZ0dg7NGtH+an6SLbehrHfwMSJrwx3FZ2gkX6SnSB8QIa4uJKIvPqljYZdsYeguCSEnvuk15RuJkEoCseGdWT0ZSc1BOG2geAPxTjwF1FbKmWwBJd0bpyLT/1EBPywb3IB66zGC7YXFV4uKaXPCnbzF+IRUidMD8CJIVp6cJWPBT2etr6aacN7tbuyJNGB8eevW5ASuLKwNwKrkHMCzNOUw==
X-MS-Exchange-Authentication-Results	spf=fail (sender IP is 40.115.126.94) smtp.mailfrom=tsccp.co.uk; dkim=none (message not signed) header.d=none;dmarc=fail action=oreject header.from=tsccp.co.uk;
X-ExclaimerHostedSignatures-MessageProcessed	true
X-ExclaimerProxyLatency	19427163
X-ExclaimerImprintLatency	12174620
X-ExclaimerImprintAction	06d07fa00c954ac982eaeb63c557183c
From	accounts@tsccp.co.uk
To	dawn.youngson@aberdeenshire.gov.uk
Date	Tue, 22 Oct 2024 12:11:07 +0100
Content-Type	text/plain; charset="utf-8"
Content-Transfer-Encoding	base64
Message-ID	<bd768e3d-e296-4fbf-a9b1-a4cab6194356@DB5PEPF00014B8D.eurprd02.prod.outlook.com>
Return-Path	accounts@tsccp.co.uk
X-EOPAttributedMessage	2
X-MS-TrafficTypeDiagnostic	DB5PEPF00014B8D:EE_\|DBAPR05MB7221:EE_\|AM2PEPF0001C70A:EE_\|DU0PR05MB10368:EE_\|DB1PEPF000509E9:EE_\|CW1P265MB7961:EE_\|CWLP265MB2513:EE_
X-MS-Office365-Filtering-Correlation-Id	70913202-8f4f-410a-6203-08dcf28a3ef5
X-MS-Exchange-SenderADCheck	1
X-MS-Exchange-AntiSpam-Relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230040\|1800799024\|35042699022\|36860700013\|82310400026\|376014;
X-Microsoft-Antispam-Message-Info-Original	ccBf6bXxGjRAi7Z50rdncHZzJkL8QR8qlx9CwaOF9VK+5r31IMIdbiYlvwwqw99yC5KlGNGZWeTULvEtmLaRNd4Lo0bDbFNm+Z8gK4bvP9YfwZvbphoE9jSJBOLYEjGJzgzezARoPVam4SxxUsDRqcxoJBD07VuL1gsGs6bKa44OG95OFxbvJKufSxwPG698oIes1TEYelkSue0P/CSwpotHuVBZZNJ6FUVag8zXGNwV8KX9qCK8EzWJU9QrjfCGX8RNM18//o5ESwvmbB5WdtvL0b6i2jqgq3wO59viayrdv6Z+H+0aciE4INrR+UEALGCX+cbe6Sfh5Li263KaEJMw1KHszQBeXifrulxBtfivyYsHvklPYnFBLAfE4xMmXf2zzeupRcU+M24FfTitAK524v+ZwFodiCDFrFf7dGDTETYepEwaQDpmS1PbzMucsHVbFgoWpN1/P3NQl7rmnlrbASjtTM6xlW8wAPE1+hzdbpjfdYGof5nl8zuyu4/l0NAwkdlujHmQ4deFv+1onyLiJzQpIAbpK4H/tIl4pXawtYwuTYTBlFTKeznxVp8MarUTfqM8vh6rlAoxFewxf7db8qOEOoKNMii67WKF7tGerW+gO9y5O6vJ+NYZtSKVunjh/1lDO+CH4u2wTvWNZSk3gkJ9l7ks2ho3YGWC4pf7azAkiQyyPXiUDWKDzLd6JbaGKWfCem+0rBKqcP4xet4W58lW4C8tQcf9tRvBoEc6mQFOOmPrK7GH3FCCLwhapgRm30mPYJ+FgxrGsrOmPmP+jb6VRFwtehw7aducUp69UHtMeO62qgYC+uJDucHQdg4DX/RIfUYv7Cw2yZSAEFNSFc3BFDal2Cv9iUj+f7DdfO5t1oequJvg62linutPrJwtvl94uctMAa4wTw5kCVSG7lpEBWjSXFq2w53+xx3iZ3ktbd5o2G+5qt/rRDRnPfTViRMOhg4UZtLuE+K8lZtapfYTEB+Th9E5WPBKpYCjCHiFZIR6YvIPx0XK25fcN+GLh+c9Iuj8W31hGAbvaSoSO+7n8TBntI3uJKy+XmSMqPYnn1O+xOq+M09GDbSHQo/EBivNZtA0+zUYf1bNGli/b6Wulb/3M6aVukUIqNAv/zTgxKfxfYdaU88LdN+DcDfg6yH450F9/287/NHRJfCj3PbknlPzZ/XFCmrISP462zqnGZ2bPvgJtz0T258XoMRou/jLlLkGN+0CCv/FtHqgoBixn7bc8IV8mDBZnjsNWW9UeABZt4mD3+1svxCVWiRbudBDIsVkHsmz1IWOPtl4UPgNF2ZMl2CGnwR24KfeUiBjypcE0Xb3i4qmteoNOUWvhdw8INQoJdoRYh7TlaDvL/x4+j2N2biICnwHVvk=
X-Forefront-Antispam-Report-Untrusted	CIP:52.169.0.179;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:eu2.smtp.exclaimer.net;PTR:eu2.smtp.exclaimer.net;CAT:NONE;SFS:(13230040)(1800799024)(35042699022)(36860700013)(82310400026)(376014);DIR:OUT;SFP:1102;
X-MS-Exchange-Transport-CrossTenantHeadersStamped	CW1P265MB7961
X-MS-Exchange-Transport-CrossTenantHeadersStripped	DB1PEPF000509E9.eurprd03.prod.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs	95fd467f-0946-4f6c-7ad3-08dcf28a3cf0
X-EOPTenantAttributedMessage	fed99306-4d2d-4409-959d-d0edb7304a0b:0
X-MS-Exchange-Transport-CrossTenantHeadersPromoted	DB1PEPF000509E9.eurprd03.prod.outlook.com
X-MS-PublicTrafficType	Email
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-Microsoft-Antispam	BCL:0;ARA:13230040\|82310400026\|35042699022\|2092899012\|12012899012;
X-Forefront-Antispam-Report	CIP:40.107.21.124;CTRY:AT;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:EUR05-VI1-obe.outbound.protection.outlook.com;PTR:mail-vi1eur05on2124.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(82310400026)(35042699022)(2092899012)(12012899012);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	22 Oct 2024 11:11:15.3884 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id	70913202-8f4f-410a-6203-08dcf28a3ef5
X-MS-Exchange-CrossTenant-Id	fed99306-4d2d-4409-959d-d0edb7304a0b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp	TenantId=0e0dfd2c-eae7-42cc-b402-847b3a78281a;Ip=[52.169.0.179];Helo=[eu2.smtp.exclaimer.net]
X-MS-Exchange-CrossTenant-AuthSource	DB1PEPF000509E9.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-EndToEndLatency	00:00:03.4566197
X-MS-Exchange-Processed-By-BccFoldering	15.20.8069.027
X-Microsoft-Antispam-Mailbox-Delivery	dwl:1;ucf:1;jmr:0;auth:0;dest:I;OFR:CustomRules;ENG:(910001)(944506478)(944626604)(920097)(831239)(255002)(410001)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	UmWYMt/CnBFPSttZ/qC1fwhl0WGOlPjp/FsnCB2s8Ga1m/zno2dBZb8ICOC/0dC5W3wHnHLF6h5hBfPzU9L9ylWtU3RSvifmJHbKflCZa5xf9aR3s9WafE+GR1XBhzp/sNLUnqlVGkXlOqhGJJTErmIl3Vu2DYkLiFNYFqMU1MHoewF9oBPVhzBKlneIddjEpV0NqzgJ1jHnMZRsQbZLjogbgy8+J7R6NR+K6+ifXYpNFj//aF+1UkSGknp/19IGM1jvDRAEl6AMQ79+OxHYDAaEsUxgdSaahC8h0OgdFICnTNHzfVx/GyT9yBCk09W8rSvB/Ote2AUi/cLByBvkNYYUDI9fPOsYyjlpoyHUSxyd/BMqC4Oay0SM0pbUTDURqpr0PdSITACOm0LJ6T0uHaw2/gFkObNCtlVsdepJV8OlXe+Cqe0hx38So32xL8PaXqJrLsGZ1neFGVoZ9hBfqZWiRZ9N2+aRbR56XWSmoyNLO1ibjfFCgx6DC2JrIZ17gSs2xeNJV/TWPzm+J8Ics8yVSOuWfyLXr1pLPV5ATYMPzhMrOl2WUJb5pLSVxYZRxKB7cTArNYDhlL0XMogtgdTAWgLeG8HO8kQPC9roR7TxXFE9NMShWphuxvSLnKUnQrLxiZB9tsqnKKS5Gkfrn1Iy1WTSQA5vjLGZ9XNIr23PqDIAAJZRRhphtYASnJSOE6KM7Dg5UGjEMrPRHhgcgXLQ04961b9eGy1oPf1eVLxR50az+oti5eiwhGOwjZVI2IWqaJcl31BsFxIz62X6rEOB5HzwqqgvRRysXIv5MTv9uEP90qqWPEQt7A2bXi2BCRNcdZBjQmuRgzSz6oglUazPjUwwniGKqbiHUUZkDKBElzVBHU3dLq1V+P2+xEczYM526sET+eK6SgKrRsGDWXITEYXUYX4pIoKmgUl6pIv+oyHjeGrgxYaCpU6JxdvwUJ2ydtc2r2kV9P0rvE9vOgmR5reVy7qnhMTGTahOcDAw7SZIh2ILpeHw0F0Gia/XMxj/n6mn/xue1YcfoNAmbaQ1dBbFUaYwLXEG8bU+T4PVkbo8PxF5tE9yyso5QVrbHTZobvfgNrr8f6FqbijsKPYlhlAs6+RRE1Kq9S8C+jFX+tQj+h1axx0OhMzvpvfi687tml02OBN2PVvJIdR498gOZ0rlgwazOnDqSMKveRwQauJ2BtKDqy/xDCAq8R1xPwey+5ABZGRK0l5t0i2czkS4BfK2FsDqC00CQqPCSW0GIlXAfsUFus9r7ABSW/ptXzbjGsWA4x8cEvJnrArFfJ8MtFoHO57/BiotIJJE4g5sDCPfXFcKnrb3YHfOL6b+mODmJBleQsJ00mW/hVu1caghQEJ/lrOxFabOy4bPJNwVEQy6BmLChFa0hOUhdDs+umoyKpGRkNx4XnA8ptCDiCJP/0NRwxflaYksJWqTfAE/RwSkhMg7l7tv0XbmNr/0KklLB7QpaPYJVA6XG+Nn++M9Wiev6KqLrpOj/wOZJFEuQDu0YDUVdk1+A3zwxEKR7juB9HYZ/FC53f0qhaJrZQEEjSUvgIOOa7nHIz0QBPPmntVNW8rVHl4p3qHDn+suc+/hWjkZkq5yN/bIFjL81qt6Fl7Ygpp1ltTqUcOtX2EDQtJKF0ApBlythQfKExuDzsV+C1LKNhruMNYZaPzYbnlDMR1Y1mn1m2mzZwhVMsTPb3MJPdBmAuWW0vZF/ABldJNWWntGALIzT8Lnx2cxJJCGtgpChKrqQuN9UJxNBI4LpeiE9HTsFp/xhhm7/LQ7sny6TIWXUdymQGaGFEWi/eEXMuZaI7PM2JwwVr+5qStAXfb7jvRd3Lb6/Lnrkn1Z7q9Ixv4cpzoYgJRp1wQ4rH8MOZ37LDkmQ2NHtcdmW59yw1rSeF+v4YxiuF4uMvQHt1HIsqLx/ctaDxdIz5Rbk9YZrO/JiVp8dBE26BYb4RRAWybrlVpeNnL1YYfhhaFORH1y55bj0sPshHON+ohQcyvib/iUSh11wOpKQcSFUY1f/bHBAg+XbzTYVneVzzajcJRBzy5efpwMU6AH/NXD1HX4SV+/u2DKQOXitau44mZ/rSJxVnkfTV1U9N0vhLIN
MIME-Version	1.0

File Icon


Icon Hash:	46070c0a8e0c67d6

Target ID:	0
Start time:	04:00:51
Start date:	25/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\abbd0ee5-ed71-c47d-8792-e2f9cc5a4f73.eml"
Imagebase:	0xd00000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	04:00:58
Start date:	25/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6AA7DFDC-C414-4D7D-9119-B8A66CE06D77" "E11B4C08-1EDF-4E75-92F3-39F3D029FFE2" "7380" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff7b1d90000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report abbd0ee5-ed71-c47d-8792-e2f9cc5a4f73.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\203706D8-43DC-4071-94EE-639932565B06

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729843256764069700_830E9E70-663A-458E-A6FB-C8E094711F99.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729843256765349500_830E9E70-663A-458E-A6FB-C8E094711F99.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241025T0400550873-7380.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: OUTLOOK.EXEPID: 7380, Parent PID: 1028

General

Chronological Activities

Analysis Process: ai.exePID: 7724, Parent PID: 7380

Windows Analysis Report
abbd0ee5-ed71-c47d-8792-e2f9cc5a4f73.eml