Edit tour

Windows Analysis Report
Fw thanks for the purchase.msg

Overview

General Information

Sample name:	Fw thanks for the purchase.msg
Analysis ID:	1542081
MD5:	c5c22c0b55f694394add5fc33385af36
SHA1:	9a023c633038f6944f19d7707778ad3a59ba6f16
SHA256:	5a3bd65344039d31e71bc9d51a6b024285104b53f616bb252fdc66d6d0877b20
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 7780 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Fw thanks for the purchase.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 8064 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A23BE57F-CC25-4808-8FCB-D94EDB892656" "9A13936D-B1EF-4C62-A3F6-4EE10EBF612B" "7780" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7780, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown

DNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.office.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://api.scheduler.
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://app.powerbi.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://augloop.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://canary.designerapp.
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cdn.entity.
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cortana.ai
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://cr.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://directory.services.
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ecs.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://graph.windows.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://invites.office.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://login.windows.local
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://management.azure.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://management.azure.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://mss.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://outlook.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://service.powerapps.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://substrate.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://tasks.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winMSG@3/14@1/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241025T0858460662-7780.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Fw thanks for the purchase.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A23BE57F-CC25-4808-8FCB-D94EDB892656" "9A13936D-B1EF-4C62-A3F6-4EE10EBF612B" "7780" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A23BE57F-CC25-4808-8FCB-D94EDB892656" "9A13936D-B1EF-4C62-A3F6-4EE10EBF612B" "7780" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The email lacks any specific purchase details or transaction information

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe
https://api.office.net	0%	URL Reputation	safe
https://incidents.diagnosticssdf.office.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/android/policies	0%	URL Reputation	safe
https://entitlement.diagnostics.office.com	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
241.42.69.40.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://designerapp.azurewebsites.net	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false		unknown
https://store.office.cn/addinstemplate	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false		unknown
https://globaldisco.crm.dynamics.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://mss.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://api.office.net	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnostics.office.com	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542081
Start date and time:	2024-10-25 14:57:45 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Fw thanks for the purchase.msg
Detection:	SUS
Classification:	sus21.winMSG@3/14@1/0
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 40.79.173.40
Excluded domains from analysis (whitelisted): ecs.office.com, onedscolprdaue00.australiaeast.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, neu-azsc-config.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Fw thanks for the purchase.msg

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.384069387394482
Encrypted:	false
SSDEEP:	3072:magZMBgrmiGu2taqoQKrt0FvW33H7Lv7PlOQ1:mQ0mi2tnG3bL7Q
MD5:	ECCC61A9836EC640AA08FA6FA9382521
SHA1:	3CBD79BF1166F8C4E586CFA09412D35D7D06DAEF
SHA-256:	1A0C238C9C72D82F2BA4E8228FFD94803C094FA118C6E11AB07B1D93BC7D8E32
SHA-512:	6492464A80BF5759F783067D291C378F9A368706AD0A061D18FB49CD4FEE9FA14A20794C6CE8E6FFC99A1A2ACCB2E70D33845042DFCF257FCE67D737380195AC
Malicious:	false
Reputation:	low
Preview:	TH02...... ..Rx..&......SM01X...,... kl..&..........IPM.Activity...........h...............h............H..h........,._....h............H..h\jon ...ppDa...h....0...p......h<.............h........_`.j...h....@...I..v...h....H...8..j...0....T...............d.........2h...............kU.I...........!h.............. h............#h....8.........$h........8....."h..............'h.. ...........1h<..<.........0h....4.....j../h....h......jH..h....p.........-h .............+h.......................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
Category:	dropped
Size (bytes):	1869
Entropy (8bit):	5.090052514195504
Encrypted:	false
SSDEEP:	48:cG3JFnzyr3InzysWkSyrpednzyrXHnzyMySyKUdSyqIASy+dyDhdyBkJdyVYdyO:hF27I2sVbded2rH2MybKUdbqIAb+EDhl
MD5:	84493525F66D3893EF381B22206318A9
SHA1:	3AC54CCAAFCBB259E2686D3AE507F241DEDE2429
SHA-256:	07ACEF079DB6A81465940933321B624361366C6D91608D2AA8838F09BFD2550F
SHA-512:	A043DAEF7FEA5A0CEDC5A85D9B1178038138899CEC28F42A7E0E5467278AD941BE99E303B72532A7EC0FE2FB03FFB7CCE9EF0AFA2D97A60810307E3571AEFEA7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos Display_45876482</Id><LAT>2023-10-04T10:58:38Z</LAT><key>29442803203.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-04T10:58:38Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_26215426</Id><LAT>2023-10-04T10:58:38Z</LAT><key>37262344671.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-04T10:58:38Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2023-10-04T10:58:38Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-04T10:58:38Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	178267
Entropy (8bit):	5.290284211465388
Encrypted:	false
SSDEEP:	1536:Ui2XfRAqFbH41gwEwLe7HW8QM/o/NMdcAZl1p5ihs7EXXDEAD2Odago:+Ce7HW8QM/o/TXgk9o
MD5:	868862EB0023F3E1D7BBCD537B6C4997
SHA1:	336FB6B1C59DA5EA6628572348919D48BEB6D1B8
SHA-256:	8A3FCEFDF1E688C9589FEDD11DFB86564CD6DD82871CB4799C45FACE2FC008C2
SHA-512:	ABC7B43BC1590DC45FF99C58356A41E9C267EEEFBA3D75587279CF0D10837F2E081F51BF14FE8ADECD2D4CE6E32C967A2B945C66DDB7B7B56C16D68F461D6B6A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-25T12:58:51">.. Build: 16.0.18209.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04616353740967531
Encrypted:	false
SSDEEP:	3:Gtlxtjl+LMPN8alxtjl+LMPN8n1R9//8l1lvlll1lllwlvlllglbelDbllAlldla:Gtb1Bb1u9X01PH4l942wU
MD5:	FB6F88AEE1306560C8F3DD432B72D93C
SHA1:	A656EE77240DC928B9F50F3C7E2055B0A6BE53A9
SHA-256:	644E545C000909368557E59F7A37FF90B604014677E92CCE22399D14246A4A89
SHA-512:	E007AD8BE35FE0FC967A1D566DD74C627F71871E69214C3890B1222B3B387634275490E60A428BF0D8268BE216F4C00D8B7049FB4E2F934CB6B66F4E8265A1F4
Malicious:	false
Reputation:	low
Preview:	..-......................g.p......m(.2,.a...D.....-......................g.p......m(.2,.a...D...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.4829849598040883
Encrypted:	false
SSDEEP:	24:KbEQ3zRDIRR0Ull7DBtDi4kZERDtzqt8VtbDBtDi4kZERDQbYBqt8VtbDBtDi4kC:eEQ1HUll7DYM5zO8VFDYMEsBO8VFDYML
MD5:	723212CDD442BF04A87F22615FC5BA57
SHA1:	1CFB242B259D6946D0337A02CF739CAFC353BE55
SHA-256:	C8931182B12C1E731CE525EF3E37440D4C6A2D3F63394A01E02937F73CEEA096
SHA-512:	F5BAB4F3A426195EE907BC7404A0D86B871C2A78A4D73B7943653500B490702A1DD1B188619396E00D45CD11CF0497FF6947F1DBC50F786821F86851882A9808
Malicious:	false
Preview:	7....-............m(.2,..T..[h.^..........m(.2,.*..g.y!.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E30A9856.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	GIF image data, version 89a, 1291 x 1723
Category:	dropped
Size (bytes):	227765
Entropy (8bit):	7.847724139022585
Encrypted:	false
SSDEEP:	6144:3edLE0Nxjjw1/S83qaqMOn5cD0d2KVGUVVQZJBedN:Olr/HA2T592KZQZQN
MD5:	C963DD5284759FCE58807EB573916EE4
SHA1:	A74A02C1789AA10875A4124F749E117B2F84F80C
SHA-256:	E7641518F7CFFCEB55ADD01CFB440487C8AFE99A2F4F1C3B3492DD79B74131C4
SHA-512:	45A0AF32A1E463CF08E8F40B786A1D8A998AFE9EFEC25E49EFB6C908C96455BE303FDC2A3A6AED49C551202626FA61C04FAC12A14132FFF9018048665C8EFBAE
Malicious:	false
Preview:	GIF89a..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................}............................................................................Q..8..5..7.......G..:..3..3..3..3..3..+..............yzwtvskllijhaa``i]VVE`.UNNAJ_H@A?:;8123+.8.....-.,&'.)c) #. "....@................................................,........@...y..H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.*]...P.J.J...H......`..K...h.]...p..K...x..........L.....+6......>e......3k.....C..M....S.^....c.M....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BEAB66EF-C1BF-481A-B717-B90ACCC8AF18}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	0.30455482650234045
Encrypted:	false
SSDEEP:	3:ulAmiNWlGlMVl3lTltlWlxWlXz6li39:qTWWlG6PxlXzO4
MD5:	E36C1E06A881A2F5E223ED8DF992206D
SHA1:	B49F80E263C3EFE152DFFEB91883D4EF8FAA78E8
SHA-256:	280219010A362710176F0FF1B8743865E24C7D5784F51DFB0877790CE326748F
SHA-512:	CF824656BD2E10D4F0B2852E0B8F26C6C74FE4EE08A542BA57C2565FEACE9FE7E19454F8F13D98739A805D8F4D6D61045F6ADC7097E82FF468E92A6211A04DC5
Malicious:	false
Preview:	....p.o.t.e.n.t.i.a.l. .s.c.a.m............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729861128886381300_88AC5D64-5C74-487F-B5D1-F5B881ED674C.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28760), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.16191506555471719
Encrypted:	false
SSDEEP:	1536:6VCXIb8MT+FeVnysajbjxGnPkX8RyrJJGEUPJ7JhKCkcGpCSKzmj+D6n60BgZAzv:IbBSeV5eUaK
MD5:	3BEF7451498E8AC0DB8BD030EE026F6A
SHA1:	9E40A5AE9AAF517FD2B089E6DB82061859B78994
SHA-256:	1AA7DE007B58B54BB2A5568D9B4256B9851FF809EAFB7A9D4D15ED4D20338572
SHA-512:	7435F92CBF9C8AF7A56745321105C3FC43AE3E53D14347335948B754B4C7E1F11A6E955CB70FA122903B546C1F57EF4C8B3953E7BEE27502435FFEB0CDC2A1AE
Malicious:	false
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/25/2024 12:58:48.912.OUTLOOK (0x1E64).0x1E68.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-25T12:58:48.912Z","Contract":"Office.System.Activity","Activity.CV":"ZF2siHRcf0i10fW4ge1nTA.4.9","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/25/2024 12:58:48.927.OUTLOOK (0x1E64).0x1E68.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-10-25T12:58:48.927Z","Contract":"Office.System.Activity","Activity.CV":"ZF2siHRcf0i10fW4ge1nTA.4.10","Activity.Duration":10432,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729861128887933100_88AC5D64-5C74-487F-B5D1-F5B881ED674C.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241025T0858460662-7780.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.480652946175104
Encrypted:	false
SSDEEP:	768:zSQ8AFJG3Oy1Bv44DH/9uf5SyWqW7XOkpf37jwKz1eifmj+QelWmWg:J4DH/9ufcDXf0jK
MD5:	53EFD03DC433EB36DEC3436C327EAD78
SHA1:	9CFE5B456663753F22759F7CAFE6D7EDBA041314
SHA-256:	66669E44E10FADF412D6D6D6D5D3D9CE7CAC5CE9224AC92A31C0D31336979AF4
SHA-512:	3BB962EEDD90EEF0278AB0D9D93AAD3FE991670450760C69A102183FC6180948A2FACDE833A53158624C356D3C31FADF9D8ADB1EF076BB3394B2240F7CB0ADD2
Malicious:	false
Preview:	............................................................................b...h...d.......&..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................p.................&..........v.2._.O.U.T.L.O.O.K.:.1.e.6.4.:.7.0.7.6.5.6.b.d.f.0.0.2.4.2.b.e.b.f.3.6.4.1.e.c.8.c.c.4.7.8.5.0...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.2.5.T.0.8.5.8.4.6.0.6.6.2.-.7.7.8.0...e.t.l.............P.P.h...d.......&..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF0143239B44FC0412.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.335416333916712
Encrypted:	false
SSDEEP:	192:C6+WAC8b05In81KwkCi182WfUNgz0XHWQOGIAbAFAqwNh/:IW4I48Ymivujz0XHOGIMu
MD5:	896892EB65419C6077DD293D60389C07
SHA1:	05A6C0AD200B64332E57C18F1A143F29100775E0
SHA-256:	8C5B0132554ECCA6852BEF0E878BAE7E3A84475B4DB9D2ACAB07EDBFAA9AB89A
SHA-512:	174231E30378533E6F1326ECA950F050596C75C7C283F66CDDC39563AF3CB70020877027905364AB71ABB3218BDFD8E57D39CE96300470FD3EC06D54FF6BA13E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:d/lzlt:
MD5:	339219CA0EFA29B5AC29432337CBE382
SHA1:	A8DB8C71B3C10811C353CAD4B578C11ABE2BED18
SHA-256:	AD0BB4F311858CD74879FBE702D22A37942C03997F06195231B1990EAAE37F58
SHA-512:	D2AB9A610B1E701AC76A10C6B32A0C3FAB0DD7B417DF1E05CE5E3BAA1AA07C42540B009E67D7813605FB17F386F2DECEF96A101DCDD06BD6261EA8AC16DE5513
Malicious:	false
Preview:	....j.........................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	1.31155860274666
Encrypted:	false
SSDEEP:	768:CkQcTZtLfTmJaZ+9W4sKG6AxnHiOBfiGYSH58BUTIZ:ZrC4QgvEUfCSZeNZ
MD5:	6ABC14E878AE67FB6EA945E769A0611A
SHA1:	2CDBAEC8B5FF4DEE4C20D4BD7E815F247E02CE0E
SHA-256:	1010BAD405A853250EEB4DEC1466D773BACA42BE09E8F012F498F2AB5079C9C7
SHA-512:	ACC0FEA2246514275001E69F9F2C0486778015EB4FD9332D8696337C44F780277DE8C08EF5DCA8EB8893E8B0E2E8FEEF8CF39164821CB22AD20FFFB09CC97835
Malicious:	true
Preview:	!BDN].5.SM......\...)...........C.......V................@...........@...@...................................@...........................................................................$.......D......@Q..............>...............B...................................................................................................................................................................................................................................................................................................c...KoU.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.6256647029091716
Encrypted:	false
SSDEEP:	96:WVvSA4TX284d8DJqmimFtZu3vZhOrnM9TDpd7o+U4TX:evSZmP8D4MtahWMp7td
MD5:	A32EC259186C81EB9899B1676D00699F
SHA1:	5B1ED365DD134F08231F2820D1957FAA6F8BE5E1
SHA-256:	AE6550CA660D92AA22A03E913FEE486CA551DA0302418807F75922B69BD501EA
SHA-512:	3A1FF0FB8B749D15D5FE6ED8F0C2006559E8FE2B595117B3FA7E53E00A7732304398807850850790B9973DEB9F14167388DE552A20CFF0E467F76B54ECA88EFF
Malicious:	true
Preview:	...x0...h.......d...4[...&.......D............#...........................................................~..........................................................................................................................................................................................................................................................................................................................................................................................................................................................s...D..........0...i.......d...4[...&.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	7.240066129783409
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	Fw thanks for the purchase.msg
File size:	307'712 bytes
MD5:	c5c22c0b55f694394add5fc33385af36
SHA1:	9a023c633038f6944f19d7707778ad3a59ba6f16
SHA256:	5a3bd65344039d31e71bc9d51a6b024285104b53f616bb252fdc66d6d0877b20
SHA512:	b91cd5cdb1660b7f8d57250cbb94586aab61aeba69c40f67a3957e76a518478cdfcb3f1be6971a21baf420a434582182b8f9f9364ace3f4ed421e96117418a1d
SSDEEP:	6144:klVPxAJl2qedLE0Nxjjw1/S83qaqMOn5cD0d2KVGUVVQZJBed:2lr/HA2T592KZQZQ
TLSH:	CF64AE2579FB1215F173AF768AE291A38536BD92AE29DA1F1081330F01B1901DD63F7B
File Content Preview:	........................>......................................................................................................................................................................................................................................

Static Mail

General

Subject:	Fw: thanks for the purchase
From:	Scott Marhofer <scott@marhofer.com>
To:	CTMS Service Team <help@ctmsohio.com>
Cc:
BCC:
Date:	Thu, 24 Oct 2024 20:01:33 +0200
Communications:	potential scam ________________________________ From: antaben816@gmail.com <antaben816@gmail.com> Sent: Tuesday, October 22, 2024 11:33 AM To: Scott Marhofer <scott@marhofer.com> Subject: thanks for the purchase
Attachments:	fimjVjKuJs.gif

Headers

Key	Value
Received	from CH3PR13MB6387.namprd13.prod.outlook.com
18	01:33 +0000
ARC-Seal	i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
h=From	Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass
(2603	10b6:408:112::14) with Microsoft SMTP Server (version=TLS1_2,
2024 18	01:33 +0000
(2a01	111:f403:c803::9) by BL6PEPF00013DFA.outlook.office365.com
Transport; Thu, 24 Oct 2024 18	01:39 +0000
Authentication-Results	spf=pass (sender IP is 104.47.55.170)
Received-SPF	Pass (protection.outlook.com: domain of marhofer.com designates
via Frontend Transport; Thu, 24 Oct 2024 18	03:27 +0000
for <help@ctmsohio.com>; Thu, 24 Oct 2024 18	03:26 +0000 (UTC)
X-Sophos-Product-Type	Mailflow
X-Sophos-Email-ID	d9f090d582bd41cf99b56b0edb2d9add
for <help@ctmsohio.com>; Thu, 24 Oct 2024 18	01:44 +0000 (UTC)
by MW4PR17MB4649.namprd17.prod.outlook.com (2603	10b6:303:102::18)
Authentication-Results-Original	dkim=none (message not signed)
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=marhofer.com;
by LV8PR13MB6866.namprd13.prod.outlook.com (2603	10b6:408:260::9)
([fe80	:3d0d:157b:c98a:fe5%4]) with mapi id 15.20.8093.018; Thu, 24 Oct 2024
From	Scott Marhofer <scott@marhofer.com>
To	CTMS Service Team <help@ctmsohio.com>
Subject	Fw: thanks for the purchase
Thread-Topic	thanks for the purchase
Thread-Index	AQHbJJfnO3Y6awPhaE27zuJ1TcAK7rKWNEUx
Date	Thu, 24 Oct 2024 18:01:33 +0000
Message-ID	<CH3PR13MB638733053BEF9C4E4CE07367C24E2@CH3PR13MB6387.namprd13.prod.outlook.com>
References	<CAAj5Ydyo9iuGj5NXPrt7YfKMgXOEYEyJcYz9ZLkjDr=FDYP+Rw@mail.gmail.com>
In-Reply-To	<CAAj5Ydyo9iuGj5NXPrt7YfKMgXOEYEyJcYz9ZLkjDr=FDYP+Rw@mail.gmail.com>
Accept-Language	en-US
Content-Language	en-US
X-MS-Has-Attach	yes
X-MS-TNEF-Correlator	msip_labels:
x-ms-traffictypediagnostic	CH3PR13MB6387:EE_\|LV8PR13MB6866:EE_\|BN2PEPF00004FC0:EE_\|MW4PR17MB4649:EE_\|BN2PEPF000044A3:EE_\|SA1PR17MB5538:EE_\|IA1PR17MB6647:EE_
X-MS-Office365-Filtering-Correlation-Id	4cf51cf7-37bd-4b98-2c25-08dcf456296d
x-ms-exchange-senderadcheck	1
x-ms-exchange-antispam-relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230040\|35042699022\|8096899003\|4076899003;
ARA	13230040\|376014\|366016\|1800799024\|38070700018\|8096899003;
X-Microsoft-Antispam-Message-Info-Original	=?us-ascii?Q?e5AbuUrs5nV/P2LBHnXvI8SXWAAJFFyMsm7S2pr3fUnd0+VVKmzDykzKfwcV?=
X-Forefront-Antispam-Report-Untrusted	CIP:40.107.101.120; CTRY:US; LANG:en;
SCL	1; SRV:; IPV:NLI; SFV:NSPM;
PTR	mail-mw2nam04on2120.outbound.protection.outlook.com; CAT:NONE;
SFS	(13230040)(35042699022)(8096899003)(4076899003); DIR:INB;
SFP	1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount	1
X-MS-Exchange-AntiSpam-MessageData-Original-0	=?iso-8859-1?Q?+L2ZPq7CLlb0AjUG2T4pdVcqJHDE/l+yC4GTgD8acs/6xheXZZE/ftyKwR?=
Content-Type	multipart/related;
X-MS-Exchange-Transport-CrossTenantHeadersStamped	SA1PR17MB5538
X-EOPAttributedMessage	1
X-EOPTenantAttributedMessage	777b3e9b-be31-4bde-a515-52b092454f4e:1
X-MS-Exchange-Transport-CrossTenantHeadersStripped	BN2PEPF000044A3.namprd02.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted	BN2PEPF00004FC0.namprd04.prod.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs	3b8e5f1f-04b4-4121-7b57-08dcf455e8ca
X-MS-Exchange-AtpMessageProperties	SA\|SL
H	NAM04-MW2-obe.outbound.protection.outlook.com;
X-Sophos-Email-Scan-Details	27140d1e1540510e7e771140550e7d75
X-Sophos-Email	[us-west-2] Antispam-Engine: 6.0.0,
AntispamData	2024.10.24.172115
X-Sophos-SenderHistory	ip=40.107.101.120, fs=117211331, fso=133023564,
X-Sophos-DomainHistory	d=marhofer.com, fs=78615664, fso=78615664, da=83994435,
X-LASED-From-ReplyTo-Diff	From:<ctmsohio.com>:7
X-LASED-SpamProbability	0.083173
X-LASED-Hits	ARCAUTH_PASSED 0.000000, AUTH_RES_PASS 0.000000,
X-LASED-Impersonation	False
X-LASED-Spam	NonSpam
X-Sophos-MH-Mail-Info-Key	NFhaREw2NDZmUnpqV3daLTE3Mi4xNy4xLjIwMA==
Return-Path	scott@marhofer.com
X-MS-Exchange-Organization-ExpirationStartTime	24 Oct 2024 18:03:27.9153
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	4cf51cf7-37bd-4b98-2c25-08dcf456296d
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-Exchange-SkipListedInternetSender	ip=[104.47.55.170];domain=NAM12-BN8-obe.outbound.protection.outlook.com
X-MS-Exchange-ExternalOriginalInternetSender	ip=[104.47.55.170];domain=NAM12-BN8-obe.outbound.protection.outlook.com
X-MS-PublicTrafficType	Email
X-MS-Exchange-Organization-AuthSource	BN2PEPF000044A3.namprd02.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Exchange-Organization-SCL	-1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|2040899013\|35042699022\|82310400026\|8096899003\|4076899003;
X-Forefront-Antispam-Report	CIP:198.154.181.202;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKN;H:NAM12-BN8-obe.outbound.protection.outlook.com;PTR:mail-bn8nam12lp2170.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(2040899013)(35042699022)(82310400026)(8096899003)(4076899003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	24 Oct 2024 18:03:27.6184
X-MS-Exchange-CrossTenant-Network-Message-Id	4cf51cf7-37bd-4b98-2c25-08dcf456296d
X-MS-Exchange-CrossTenant-Id	777b3e9b-be31-4bde-a515-52b092454f4e
X-MS-Exchange-CrossTenant-AuthSource	BN2PEPF000044A3.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-EndToEndLatency	00:00:05.8954464
X-MS-Exchange-Processed-By-BccFoldering	15.20.8093.014
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	=?iso-8859-1?Q?Wm5svF68gYqp0o8wFM8U9vueoDvkoBG84SPBhpJXQLa1G21d7S079dD4Ub?=
MIME-Version	1.0
date	Thu, 24 Oct 2024 20:01:33 +0200

File Icon


Icon Hash:	c4e1928eacb280a2

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 14:59:11.372349024 CEST	53	63114	162.159.36.2	192.168.2.4
Oct 25, 2024 14:59:12.120354891 CEST	55245	53	192.168.2.4	1.1.1.1
Oct 25, 2024 14:59:12.128695011 CEST	53	55245	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 14:59:12.120354891 CEST	192.168.2.4	1.1.1.1	0x14e2	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 14:59:12.128695011 CEST	1.1.1.1	192.168.2.4	0x14e2	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	08:58:45
Start date:	25/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Fw thanks for the purchase.msg"
Imagebase:	0x8b0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	08:58:51
Start date:	25/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A23BE57F-CC25-4808-8FCB-D94EDB892656" "9A13936D-B1EF-4C62-A3F6-4EE10EBF612B" "7780" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff7f2ee0000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fw thanks for the purchase.msg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\59462EB6-BC61-43C2-8F66-3E6EF1A5B5CC

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E30A9856.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BEAB66EF-C1BF-481A-B717-B90ACCC8AF18}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729861128886381300_88AC5D64-5C74-487F-B5D1-F5B881ED674C.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729861128887933100_88AC5D64-5C74-487F-B5D1-F5B881ED674C.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241025T0858460662-7780.etl

C:\Users\user\AppData\Local\Temp\~DF0143239B44FC0412.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Fw thanks for the purchase.msg