Edit tour

Windows Analysis Report
f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml

Overview

General Information

Sample name:	f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml
Analysis ID:	1545323
MD5:	528948e429faaad560a4b04dde3114c6
SHA1:	2592814e7b0e692f681d2f8001ed7c907eabc89c
SHA256:	15691caf848c73cc9bd1575d3eaaa20ef93a4d63bc54b60e345c1c19fa2cf5bd
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 7876 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7456 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "632021B8-6964-4F2F-B881-E475CE3549FE" "8E3A19E7-2B42-405A-A415-89DA00EEE1B0" "7876" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7876, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.office.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://api.scheduler.
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://app.powerbi.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://augloop.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://canary.designerapp.
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cdn.entity.
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cortana.ai
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://cr.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://directory.services.
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ecs.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://graph.windows.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://invites.office.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr, OUTLOOK_16_0_16827_20130-20241030T0730210220-7876.etl.0.dr	String found in binary or memory: https://login.windows.local
Source: OUTLOOK_16_0_16827_20130-20241030T0730210220-7876.etl.0.dr	String found in binary or memory: https://login.windows.localnull
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://management.azure.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://management.azure.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://mss.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://outlook.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://powerlift-user.acompli.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://service.powerapps.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://static.=
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://static.wixstatic.com/media/d281d4_bed9b68077fc4a25897b94bb855c4caa~mv2.jpg
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/3590d953-043b-4457-8841-7cf4acb1f1bf?Go
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/359=
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/399=
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/399d336a-ada8-46ba-bb18-2805d35e9f94?Go
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/505=
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/505c6d24-ec72-4bc3-855d-7f6fae7f651f?Go
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/5df=
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/5dfe6107-ca04-4cf2-880c-4303fcd3ae43?Go
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/5e015eec-2063-4653-b543-a2fdc4c2725e?Go
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/5e0=
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/844=
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/844f0140-73f3-4f72-8761-aefccd98b4db?Go
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/ba592ff6-7498-489f-87de-208199f90839?Go
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/ba5=
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/c2e=
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/c2efebe8-9b1d-47ab-ad9c-77feab1feffe?Go
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/e5020188-2749-47cf-83bf-a0b2cfddec50?Go
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://storage.googleapis.com/inbound-mail-attachments-prod/e50=
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://substrate.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://tasks.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	String found in binary or memory: https://u46509964.ct.sendgrid.net/wf/open?upn=3Du001.u8cAZ5omYM=
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: ~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/2du1CWnZMhDjRmzH6f1FoLQWc?domain=u46509964.ct.sendgrid.net
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winEML@3/19@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T0730210220-7876.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "632021B8-6964-4F2F-B881-E475CE3549FE" "8E3A19E7-2B42-405A-A415-89DA00EEE1B0" "7876" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "632021B8-6964-4F2F-B881-E475CE3549FE" "8E3A19E7-2B42-405A-A415-89DA00EEE1B0" "7876" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The email uses a suspicious sender address with a UUID in the domain (@crm.wix.com)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-user.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://u46509964.ct.sendgrid.net/wf/open?upn=3Du001.u8cAZ5omYM=	f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	false		unknown
https://designerapp.azurewebsites.net	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://login.windows.localnull	OUTLOOK_16_0_16827_20130-20241030T0730210220-7876.etl.0.dr	false		unknown
https://powerlift.acompli.net	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://notification.m365.svc.cloud.microsoft/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false		unknown
https://cloudfiles.onenote.com/upload.aspx	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false		unknown
https://static.=	f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://powerlift-user.acompli.net	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://url.uk.m.mimecastprotect.com/s/2du1CWnZMhDjRmzH6f1FoLQWc?domain=u46509964.ct.sendgrid.net	~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp.0.dr	false		unknown
https://officeci.azurewebsites.net/api/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false		unknown
https://store.office.cn/addinstemplate	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false		unknown
https://globaldisco.crm.dynamics.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://notification.m365.svc.cloud.microsoft/PushNotifications.Register	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false		unknown
https://d.docs.live.net	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://mss.office.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545323
Start date and time:	2024-10-30 12:29:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml
Detection:	SUS
Classification:	sus21.winEML@3/19@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.76.243, 2.19.126.151, 2.19.126.160, 51.105.71.137
Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, onedscolprduks03.uksouth.cloudapp.azure.com, login.live.com, officeclient.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.384309830005319
Encrypted:	false
SSDEEP:	1536:+fYLDXgs4tvD2M2NHgs6hNcAz79ysQqt2kDc1qoQnTrcm0Fv8qPyyetGrf04cdjG:/zgRlYg5miGu2lqoQTrt0FvMdMYPDQld
MD5:	E9EED3B8F9D93446D553707A675883ED
SHA1:	C61FFD36386FAACC0B960CFF978A0065CCE1B410
SHA-256:	B7AAB2DF6DB32E752A786723CFAC2393328C46218CC9AE5BBC771E42261666F0
SHA-512:	77C4C5C83169B0BEFF3501F3DBC90D7404CCCF98A4F90981FAF0A8E33924EE5AAA6EC612E9C448ADC7D0B87B29BBE614CE8AF9EDD1965B8A291243477D43977D
Malicious:	false
Reputation:	low
Preview:	TH02...... ...........SM01X...,..................IPM.Activity...........h...............h............H..h.........PJ....h........P.c.H..h\FRO ...1\Ap...h..x.0...h......h.V.b..{........h........_`Fk...h.W.b@...I.tw...h....H...8.Kk...0....T...............d.........2h...............k1.2.....-.4...!h.............. h.V............#h....8.........$hP.c.....8....."h`.q.......q...'h..M...........1h.V.b<.........0h....4....Kk../h....h.....KkH..h..{.p.........-h .............+hyV.b........................ ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

File type:	ASCII text, with very long lines (426), with CRLF line terminators
Entropy (8bit):	5.707053089808133
TrID:
File name:	f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml
File size:	62'144 bytes
MD5:	528948e429faaad560a4b04dde3114c6
SHA1:	2592814e7b0e692f681d2f8001ed7c907eabc89c
SHA256:	15691caf848c73cc9bd1575d3eaaa20ef93a4d63bc54b60e345c1c19fa2cf5bd
SHA512:	d78de42139ce1067db88b2cbe2774e57875f1b9a5d1a1823d968fad56d142f04a08cf694ba94e8f813937e6645cc8c6696477e75e38ec0bbec8d85a07ba855fb
SSDEEP:	1536:bdFMZt4bpe2AaBodBDdICotADdICjADdICoDQrbqisLjcX9LXvTMh:bdF+t4b7BoFICvICmIChJgh
TLSH:	4A531A65B6C0D1CA1C7911B0F57129C4FBB04E2FDB6328B83C3FA5266FA84614A5B7C9
File Content Preview:	ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;.. b=FBDwOwrDEkOWX6R5De1wkm5WiqoECppO/tHYrK6gW4Qj0XJZSrrUhhjlz13WvIBcJaCbE4FLYt3ba+B4LP6sBMauGms1044OUisCHOMMLiAt/hrV/cgoNRT3YaY5/z29ESlR6Lq/y7xUzw0nAcmAOdtWF1/lBp+GX0Ue602rZJvBDugA

Subject:	RE: [Parking and Property] Appeal PCN - new submission
From:	Parking and Property Management <9ed680ee-bce6-4f9a-bd58-0ea10a27b53f@crm.wix.com>
To:	victoria.copeland@frpadvisory.com
Cc:
BCC:
Date:	Fri, 25 Oct 2024 10:43:15 +0000
Communications:	My full name is Victoria Copeland. I work for FRP Advisory and was of the understanding that we can use the space in the far corner of the car park as it is an overflow area. Kind regards Unfortunately, we are unable to process your appeal as you have failed to provide your full name. Please reply to this email with the requested information. Your appeal cannot be considered until all the information has been received. Please be aware that a response received after the 14 days reduced amount period will result in the full 100 being charged. The information in this e-mail and any attachments is confidential and may be subject to legal professional privilege. Unless you are the intended recipient you are not authorised to, and must not, read, copy, distribute, use or retain this message or any part of it. If you have received this e-mail in error, please notify the sender immediately and then permanently delete the e-mail. This email message has been scanned for viruses. Registered in England & Wales Company No: 8645452 Ocean House 12th Floor, The Ring, Bracknell, Berkshire, RG12 1AX. FRP Advisory Group plc company number 12315862. FRP Advisory Trading Limited company number 12315855 a wholly owned subsidiary of FRP Advisory Group plc. FRP Corporate Advisory Limited, company number 09700818 which is authorised and regulated by the Financial Conduct Authority (FCA), registration no. 716736 a wholly owned subsidiary of FRP Advisory Trading Limited. FRP Advisory Services LLP a limited liability partnership, company number OC429945. Corporate Finance services are provided by either FRP Advisory Trading Limited trading as FRP Corporate Finance, or if the services are regulated by the FCA, by FRP Corporate Advisory Limited. Where relevant please refer to your Letter of Engagement for further details. All companies are registered in England and Wales. The registered office is 110 Cannon Street, London EC4N 6EU. Individuals described as Partner are members of FRP Advisory Services LLP, a full list of members is open to inspection at the registered office. For information on how we collect and process your personal information please see our Privacy Notice. This email is confidential and may be privileged and is intended for the relevant addressees only. If you are not the intended recipient, please accept our apologies. If you are not the addressee, please do not use it in any way. If received in error, please inform the sender and delete all copies. Any information or opinion in any email or it's attachments that does not relate to the business of FRP Advisory Trading Limited or its subsidiaries is personal to the sender and is not given or endorsed by FRP Advisory Trading Limited or its subsidiaries. For further details of our disclaimer and corporate information please see our Legal and Regulatory Notices.
Attachments:

Key	Value
ARC-Seal	i=1; s=201903; d=dkim.mimecast.com; t=1729852998; a=rsa-sha256; cv=none; b=WDPV9hCVggEsJqjqRK1+t0zUqv4gKN0fiUGrvku/u8j2VB2iE+wHcOD29APhO48a5Y6dgP h3qXYuZHqRgXQyv996A2p/nkNjvzpZdE1mVDe87KVdIFokoO6iF4s5kWGNJZxe40F0M5/R aL0hwY2QqxQ31a0utdzRbAE8aQoQ4GcqIYyWC6LSm9kBIUTzQafplYoeb+b5si4bkfzQe1 TKnnihTNJuNYE2DeuRW9ul9ztMWW+WYia79oUKzobKmDJT1wl6HlrArJgmJFTAYFSPG7Qh 7oCzjVzRNjx5hjmI2hS9Ys9avYgv3PoAca5/cVcHQ2Ngi5aXQxfxP8NVQpDWtw==
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=dkim.mimecast.com; s=201903; t=1729852998; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:dkim-signature; bh=31NzxeW5Bx8fuhiPSsFM1J9XUz2V2Zn0d6qDTHTSr2Y=; b=KOji67UgQAXoCQ6gYK/Ikq9AuZmPfz9ck2V219eLh63YDv9lQf/pzvKpmP7H3++msadl/i zzUFx7KsWyyur0rMGAVln36PWuLTj1dvAbEwRq+CNrl2+Bxk/HEeiigXRfgkYU87nGU+3y 1VePxGLR/93Q3pIFDBrhhlY2Maortw3SK9NAao+RNHkJ5uWiXy+ltTjBnHXfQZnCpM7dal QKM6I4V2gSo+qW2HeZIzs8RBogWe47GJce51FyKlZc2Cx+bZECSInJIoUD5TdLNu2CvzIg lDg1+mBzUcJfNlqmCGtaULDYNVN1M8cnbb8mQqSnSDVG1ZBiu3sbfeMRoaNPag==
ARC-Authentication-Results	i=1; relay.mimecast.com; dkim=pass header.d=crm.wix.com header.s=cm header.b=H8B7IlSE; dmarc=pass (policy=quarantine) header.from=crm.wix.com; spf=pass (relay.mimecast.com: domain of "bounces+46509964-a91a-victoria.copeland=frpadvisory.com@em846.crm.wix.com" designates 159.183.137.76 as permitted sender) smtp.mailfrom="bounces+46509964-a91a-victoria.copeland=frpadvisory.com@em846.crm.wix.com"
Received	from NDY1MDk5NjQ (unknown) by geopod-ismtpd-1 (SG) with HTTP id 3Qwz_VdEReymcZW_EFxsYw Fri, 25 Oct 2024 10:43:15.579 +0000 (UTC)
Authentication-Results	spf=fail (sender IP is 195.130.217.221) smtp.mailfrom=em846.crm.wix.com; dkim=fail (body hash did not verify) header.d=crm.wix.com;dmarc=fail action=quarantine header.from=crm.wix.com;compauth=none reason=451
Received-SPF	Fail (protection.outlook.com: domain of em846.crm.wix.com does not designate 195.130.217.221 as permitted sender) receiver=protection.outlook.com; client-ip=195.130.217.221; helo=eu-smtp-inbound-delivery-1.mimecast.com;
Authentication-Results-Original	relay.mimecast.com; dkim=pass header.d=crm.wix.com header.s=cm header.b=H8B7IlSE; dmarc=pass (policy=quarantine) header.from=crm.wix.com; spf=pass (relay.mimecast.com: domain of "bounces+46509964-a91a-victoria.copeland=frpadvisory.com@em846.crm.wix.com" designates 159.183.137.76 as permitted sender) smtp.mailfrom="bounces+46509964-a91a-victoria.copeland=frpadvisory.com@em846.crm.wix.com"
X-MC-Unique	ty0WIClXM1aQ69Fgi5KMLw-1
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=crm.wix.com; h=content-type:from:mime-version:subject:reply-to:references: in-reply-to:to:cc:content-type:from:subject:to; s=cm; bh=vfmsFJeRjNNkJ4QivOA9ipatVJrhNFprOQ26+sA+aVs=; b=H8B7IlSEOZfQr+vy2ms3opOjDJ4op1YRa42hi/od3b7Oz7zAsXYkYKu6tRYmyAFdk7Gq 54Ai4BgAtXM0L28alHwaQF7OSJB6xPPhlefe4hJU1iDdzTx2zwp2deLV3c4cPFBjJM1mIl UmVEiCRYof8eVXr0hMeQBRC1Osrl5IoJ7tkeJsNeMwuYe6U1cdOQRLbtVQwpA1pQxylz+d zYKfM4lAsRrzFJG5GSmgcaXR2AtdeKRVPKjjZhgJNyjVQEDWmpNoCrGv6SttdnpdN9kT68 /febFzWaGwrP7xMTRKuML86buO+AEQe76a0oz8uyvs/aM9rw3nCDBPtoEwXm8PWA==
Date	Fri, 25 Oct 2024 10:43:15 +0000
From	Parking and Property Management <9ed680ee-bce6-4f9a-bd58-0ea10a27b53f@crm.wix.com>
Mime-Version	1.0
Message-ID	<dd284293-c693-42a3-9426-979d74a0473b@crm.wix.com>
Subject	RE: [Parking and Property] Appeal PCN - new submission
Reply-To	Parking and Property Management <9ed680ee-bce6-4f9a-bd58-0ea10a27b53f@crm.wix.com>
References	<AS8PR09MB6594F6B43C9795076AD8027DE34F2@AS8PR09MB6594.eurprd09.prod.outlook.com> <AS8PR09MB6594F6B43C9795076AD8027DE34F2@AS8PR09MB6594.eurprd09.prod.outlook.com> <59c31bf8-092a-4d3e-8909-b1bc55dd9835.ac15cea0-261c-4e75-ac74-7b81e80f7256.f1a0c731-879f-4f56-8ad3-ba7def04243c@emailsignatures365.codetwo.com> <LNXP123MB3803ECBA7DE872D668A11157F14F2@LNXP123MB3803.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To	<AS8PR09MB6594F6B43C9795076AD8027DE34F2@AS8PR09MB6594.eurprd09.prod.outlook.com> <AS8PR09MB6594F6B43C9795076AD8027DE34F2@AS8PR09MB6594.eurprd09.prod.outlook.com> <59c31bf8-092a-4d3e-8909-b1bc55dd9835.ac15cea0-261c-4e75-ac74-7b81e80f7256.f1a0c731-879f-4f56-8ad3-ba7def04243c@emailsignatures365.codetwo.com> <LNXP123MB3803ECBA7DE872D668A11157F14F2@LNXP123MB3803.GBRP123.PROD.OUTLOOK.COM>
X-SG-EID	u001.F6ce459d9Naf+46IYbfQ2NZcE3tkwotxoA+HI0O/qsoK8vrcCF6iFeXmql5mxqL1V8rdQJ26FSBMMLPLkrJFLiQMLdF+q3va883uqV7MJeGtk9pG7fZP+q8rbOBxL0B6sTvfVADGwsmImWH9JP7NZ9LU+Gnhi9/F6QUHZiwW9xkstrvJKvSF7zLRlwmVpfU/5kzL25S98WGlpjou+W1UTZLD9jUYbscSdGvB7n+wh08O06wox5j+eOm0xyu74NjlE6mvt6c76QDsxusOYbi0LZtWuRLpIkjA4jRUOCoxLO+NAVM06pfl8sF83DXSfsqi
X-SG-ID	u001.SdBcvi+Evd/bQef8eZF3BpTL9BgbK5wfSJMJGMsmprB0dQaFubbFr0r5v6Ml72IsqfJkeU34cCSTEj4N3WuB8tPE3N+YuoQaTxKXqEaqcQjFJ1npEz2cpYOhkyAqGuoxio427JJ8oCbXSI7/h7GbmpXrt4GHat/qXpxfiOsF4qStQxVbR/PQIwUkLys+EvuKNMP4WOmQ2fsoVOEqs8nRSwNTPVK1AaVKf/54W8sG6Wn3dkIgvl/a8jtrQvTbqjbisr+EExABzTmUP4lwDfWPN7StvowcYLSinwZopswhcL8mArT2BdRkcLv8YPVtUBldn4PNvH/CZtXYnHKiYxc4I6b0rQ0Y72iF5WsVurkDNtzzciyLDBHSqDgAhTlXv7lMP3qlkD3ehiJbf/1xG0Asx+zvP6vXRe+TjrTU71qA3aKhXqaEomXoI46piq+j9iEWn/l5yKexl1e+wvVsvNesCEA8SmrzKXBInjblP53NeJQY5AjXiUrgiF15fnrMafaSjioKSJO+CEljxPJ3TNi9uglPJs3q+Z63c/RfCsZC85t1oo5xXi9BJ2QAWmyHecoi7KYw1L/vLravmmSfHY/g80qbIe0SUnS24wwpaZahVzqCuDQKrjAiRxEL/R1VRJKZWFOwun27m7/ihfzpXeaOuA2rvDN6xO43zcgzlmeTZzrCiyxXMiDU7nEEHPaaVdmis6ShxCjv6XnPT9mm5/gLOMm3f9gb/DpBtHUzTMIivyQ=
To	victoria.copeland@frpadvisory.com
X-Entity-ID	u001.Khd5ZXTf7HqOUa89odjlfw==
X-Mimecast-Spam-Score	1
X-Mimecast-Impersonation-Protect	Policy=Impersonation Protection Global Definition;Similar Internal Domain=false;Similar Monitored External Domain=false;Custom External Domain=false;Mimecast External Domain=false;Newly Observed Domain=false;Internal User Name=false;Custom Display Name List=false;Reply-to Address Mismatch=false;Targeted Threat Dictionary=false;Mimecast Threat Dictionary=false;Custom Threat Dictionary=false
Content-Type	multipart/alternative; boundary="2b15f8c039de654fe828fa074ea6cfeb00ac78d7797aec57f403469faac6"
Return-Path	bounces+46509964-a91a-victoria.copeland=frpadvisory.com@em846.crm.wix.com
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	ab033647-8b6d-47b5-99e4-d8b38f676539:0
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	DB5PEPF00014B89:EE_\|LO6P123MB6533:EE_
X-MS-Office365-Filtering-Correlation-Id	f60b7ff3-e1e3-4155-ccfa-08dcf4e1d6ee
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-Egress-Defend-Domain	frpadvisory.com
X-Forefront-Antispam-Report	CIP:195.130.217.221;CTRY:GB;LANG:en;SCL:9;SRV:;IPV:CAL;SFV:SPM;H:eu-smtp-inbound-delivery-1.mimecast.com;PTR:eu-smtp-inbound-delivery-1.mimecast.com;CAT:AMP;SFS:(13230040)(5073199012)(69100299015)(31092699021)(29132699027)(8096899003);DIR:INB;
X-Microsoft-Antispam	BCL:0;ARA:13230040\|5073199012\|69100299015\|31092699021\|29132699027\|8096899003;
X-Microsoft-Antispam-Message-Info	a9K6KHJHYCIeXmuM5b1LNlY/U05YkYwDaknksYl+W7g04JkvruQcLwWXDxHisQOJcTmO3moGMEM2XcFxjUfsEqsurpoSG1XKaCDxYRTFCadRwfHbqvUUW1YoIR+Iv6PVtF4j4+6q4x84dfKUV/micJucGJqjuVTjvZr1yFFAkD/8nBG0wHgb5iIcW1ESGDOQyQxQkq8RQ7iETI832g0FP+NfhkoIxh1LHKjmO5Em1ZV+de1THvn0r7l7lvSzotUOwFPj7Joe3XG6WECdY+l4zBW7T7FzwFiYryvtuC3P5ygaKS86bRXeeyNn8UeMZ2YqkpH0zC1mLoQj3QPEuNvvn4VUbwDUz86Hjb0KKPB06xmgOqRhdqNurrno63pbRQ3zVzbq/NrG6v0/Fwg3TK8oY8UutbX7Lrsp6HZfA7Rtd8+NSz0wM3RsnVyT7RmzOfzvScSDhFGK+KYLdMk2Nua9iJd2hI9HEC0fNnsImS4BHPoSHo+CarMJ8S/P7cWxgWlweqwoejw6bweYxABNrBqtwNHITuxXm8+jPBxtMzHBgcd1Ri3xUWGy7tER323gELtF50fCgkJ5MdLQOsCXyVidmw2yzdTJ1mg3QeueQht9cIf9xIG1ZOFxY43odC6INzQwk2SxPP0QaGF/6i4S6/moDnAiWPBcBUAqabadRiCvmzOVWIIvVa0h1uYsWmZctWy/JPhm/d81uB1rKkQnCckOI3/CLjnGH/me4N15fXRbCB0hs/fMQy70Vx0ySCI2ID0J3N1Dpl5nFF3lwJm94EWbclNMLUQyZSTxLUF4qOosY25oiadKLDt/xv2YWY7CSw6tFDlBx2Lg1HesPMpL6KbdMGENAwoyaSxKpgm1HCQsA+cbn7NBgu07mFVBPjfFkt3MAqINSHqG4Jzypz3ZL3kOPbbFowONqjhwnKVsPD5cSadrTIrb5zq6veGXuddWKD2mEuR1FlBpSLjbwWzS7BG3vRFbKR7FqmaQxdROERVTvo7pLLD/ar6R9fEcZrlNaXt60thnBwZ0ldIS5awv4AZ6fsSb0yagmKKHSraKacvYcf49hqPniOfObKPu55o1IFWLjWzTX2Xy43U0IfoRjGQ8DN8qSWRSlao4qMoLM7AytMYJT4FeTlUQR1p9JjvGZ6m5C/iNJeFJqxc8QQIQ1Nj38RIzClVnxOUJahKwbujPFdG5E1aMAakzTLTxRTR3hmL7NF04VnOgSmnOMpWsk1Xz18N/j+qdv7ra2cYkO8JANiHFX+pIfQ5CQ2b5EYpB2G0Iw9oyEbQu7RXoVGv01kbawOq9n/mUlfPtVs5uH2LcTxYeM3u6UOAiBbG5Hgkui4uaZp7W2FGGT2FtK2U/d4DfdxEfF9P+neWFqubIz3/WElwlp+BUSAAdPIBduHJTgTsn+jHHZuzsQvj0862+1wqqtwNnp2CHLOi7Ssqil+wegT9foOckZqVBPit3aUGCdw2i3WezHY9r3y5d0Rd9K8bZQPrKs55BzFNUBmpXc3h/+QD0fmtNq3wV/gti0Bn06DX7uCPetnkmu8/sedb8n/6bdOeif+p30AQZN/BniOiArD2ocR0xpgWMNduMATWXMSNappokS2vEqcKgNR8BZiIbhtzL8p8LYqUQNpiFaqXURnYrGggksn3wnm2uRAsQXtwhZ0zMd/WxqnyC9RCKz+EA5DM/gkfO2vjt+nyYeWAq3z+1YA30cCxBcte7cTunfCQX9GP2DEikP6y3goNAKF/6UqBx7TOl/inKWeMe8Sj7WVQOhkpu4OZWxdsKg2CC3Hasp3CKD27bmnfH629is/kL377QlHz/tk0fCGscyA3DeoZw2UwzIcSvlJDcJ1Vk0B+WHepcAF1fuOJaJqLjIeUQ0MBGzlg9ceUhQufkd3U8Fx20Gw79tRtuTDbp4oFv96jOAHPlW1ZVeZBMTiTfknifPpBXgFO2D/fZKKOYWusjAgQoYhn9WS8967QxqajPUxnRGBMz61BFrww43Q69ENrg3wobBt7oA1RC2GTnY23D2xhSXaUXiW5hu6HwG695hkQ3iK+23I3ojdK/l0ZgZsgydw7X4BWUTW/+w9r3CdDez5ZOP8jYue/qqQertKjwPCjVYO2LtgRgHACQ/TzZl1foQp8LCCvK0+dqcY5/MCFAyjMhIpDAT2q2eDKktBcwtkj6ql3fOAUDBJWzTrqvO4bsaU4x1CtNBIOP4nqWRcrYeP0Le2mD0E8L5gv4DXRvWNz3ADXFN5hWFZiYcuPnzg2l3ZA5s5wcCZ58kXnXNJdhfASQmRTuSbI1pT6sxx3+3wPZ9++QSkbyq/EfZp1d3r0HVWh68pUnU62S22o9Wnt4+rUvHDkHAt30m5Jn3M/IcNNrxtXP62w814mVsvhhHBvqwLADl6EWMiu/e01vUKJJHE8CvGdZR7A6CZKgOCQTEXFAY7mW+v8aWEH6mNa4nsP8glYi/+WNk+7JaRE4j/9NmI+BhTuHYs+RwOvQv5TZ+s4ikmVy6OIyN2HnxgB5rFMdQGNW8BSkVT1IZN4MGCPTJJ3juEQ0ZGzlfRxPx55ZgaVJI36BK/phBbyd/Y2jq5m1+r+fFJclYBfjVSptD3R8V1FAb3T78HmZELYg4BFL4+6wgUkm1IqMNFT43pYxJLDKWCNXF4c3l4ntwvuNO1GSwZrySwE3oWoWmGcMj3mwJxUkWvIjIjD6yZ58OXxOxk4xhHbZgJUZ+E08t/BsQGvDb5Eoc+RVtta7JlZY7qsaITdPKr+TxNKKvAmU+nLYVY5TM1qho7zIOe0qXjl1K04NJEWCL7j76WOlEGFQqzItC/3v5sLg3/ZukdrVUgaEewfSK4sqg9Ozpf1l1H9WO4b0aKHv91ed4hi/f/tT8Tsgbcd6cTt6R3hQCAcfojOpTsxpx04T/4r3tPKML1rNGNKVCoyIXDMYQo0+inpHjju3ivtgu3OHMXV8Qiv/tI4QnHdskg==

Target ID:	0
Start time:	07:30:17
Start date:	30/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml"
Imagebase:	0xf90000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	07:30:23
Start date:	30/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "632021B8-6964-4F2F-B881-E475CE3549FE" "8E3A19E7-2B42-405A-A415-89DA00EEE1B0" "7876" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff6fa6e0000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	180288
Entropy (8bit):	5.290987203208829
Encrypted:	false
SSDEEP:	1536:Wi2XfRAqFbH41gLEwLe7HW8QM/o/NMOcAZl1p5ihs7EXXOEADpOoagYdGVF8S7CC:gPe7HW8QM/o/aXbbkx
MD5:	3CD619E2537835D2E5E926E013C6B872
SHA1:	E558C96DC6A844A8CED955F548671BB4BF675468
SHA-256:	3C99D05DA5F090855E05C0B3AA3DF50F48F6AA1606F4815B38865775F01DFE41
SHA-512:	C96936C025BF61ADAAD2B1BDB891418E67CEA0A228C5C53F317204171F92D1710E5166F4BF07C4309A40B0EE947AE576407EF07525FAEC28BB456B818E1810CD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-30T11:30:24">.. Build: 16.0.18222.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09216609452072291
Encrypted:	false
SSDEEP:	3:lSWFN3l/klslpF/4llfll:l9F8E0/
MD5:	F138A66469C10D5761C6CBB36F2163C3
SHA1:	EEA136206474280549586923B7A4A3C6D5DB1E25
SHA-256:	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
SHA-512:	9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5EE60242-DB2A-4BCF-8F99-37EE9AFC43EF

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{550EFD3E-95A9-4110-A000-85D18B1CBBA2}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{85A16957-A004-438F-92C1-F47588277842}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D671B2BC-50B2-4898-BC94-F5BB5C861F5F}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F467E954-8949-455D-A2CE-B657EB5224DD}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730287821542220400_F3EDF794-9550-4A06-A65D-EAF0AC51FD25.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730287821542947200_F3EDF794-9550-4A06-A65D-EAF0AC51FD25.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T0730210220-7876.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Statistics

CPU Usage

Windows Analysis Report
f01bb1f6-9850-8a81-0cf8-c58347364ea7.eml