Edit tour

Windows Analysis Report
92176860-bfc1-4782-8eaf-f5d7893598cd.eml

Overview

General Information

Sample name:	92176860-bfc1-4782-8eaf-f5d7893598cd.eml
Analysis ID:	1545517
MD5:	6663fdbb4c31fb654c6c6a533411ae88
SHA1:	2e35290820a229d7a1f8d2850b69829adb8a9764
SHA256:	e55bcda86788de4a7c3901aef514a883b87bba6c02d08605ff3720abbb642e48
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 2728 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\92176860-bfc1-4782-8eaf-f5d7893598cd.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 4972 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "986BD8EA-825D-401F-A448-0312EE8BF5BB" "30F4AF64-9C6A-4917-A971-93C8065FCA57" "2728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.aadrm.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.cortana.ai
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.office.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.onedrive.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://api.scheduler.
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://app.powerbi.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://augloop.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://canary.designerapp.
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cdn.entity.
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://clients.config.office.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cortana.ai
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cortana.ai/api
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://cr.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://d.docs.live.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://directory.services.
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ecs.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://graph.windows.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://graph.windows.net/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://invites.office.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://login.windows.local
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://management.azure.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://management.azure.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://messaging.office.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://mss.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://officeapps.live.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://onedrive.live.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://outlook.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://outlook.office.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://outlook.office365.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://service.powerapps.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://settings.outlook.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://substrate.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://tasks.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 92176860-bfc1-4782-8eaf-f5d7893598cd.eml	String found in binary or memory: https://us-phishalarm-ewt.proofpoint.co=
Source: 92176860-bfc1-4782-8eaf-f5d7893598cd.eml, ~WRS{9547CF1E-83BA-4C2F-A77F-A5272F511624}.tmp.0.dr	String found in binary or memory: https://us-phishalarm-ewt.proofpoint.com/EWT/v1/C8I-Dec
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winEML@3/15@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T1130490476-2728.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\92176860-bfc1-4782-8eaf-f5d7893598cd.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "986BD8EA-825D-401F-A448-0312EE8BF5BB" "30F4AF64-9C6A-4917-A971-93C8065FCA57" "2728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "986BD8EA-825D-401F-A448-0312EE8BF5BB" "30F4AF64-9C6A-4917-A971-93C8065FCA57" "2728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The email claims to be a fax delivery notification but comes from a suspicious domain 'concord.net' which is not a known legitimate fax service provider

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe
https://api.office.net	0%	URL Reputation	safe
https://incidents.diagnosticssdf.office.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://designerapp.azurewebsites.net	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://us-phishalarm-ewt.proofpoint.co=	92176860-bfc1-4782-8eaf-f5d7893598cd.eml	false		unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://notification.m365.svc.cloud.microsoft/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false		unknown
https://cloudfiles.onenote.com/upload.aspx	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false		unknown
https://store.office.cn/addinstemplate	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false		unknown
https://globaldisco.crm.dynamics.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://us-phishalarm-ewt.proofpoint.com/EWT/v1/C8I-Dec	92176860-bfc1-4782-8eaf-f5d7893598cd.eml, ~WRS{9547CF1E-83BA-4C2F-A77F-A5272F511624}.tmp.0.dr	false		unknown
https://outlook.office365.com/autodiscover/autodiscover.json	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://notification.m365.svc.cloud.microsoft/PushNotifications.Register	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false		unknown
https://d.docs.live.net	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://mss.office.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://api.office.net	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	A8F9E485-F083-4F35-9CB8-CC7F1C643670.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545517
Start date and time:	2024-10-30 16:29:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	92176860-bfc1-4782-8eaf-f5d7893598cd.eml
Detection:	SUS
Classification:	sus21.winEML@3/15@0/0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 2.19.126.151, 2.19.126.160, 52.182.143.213
Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, prod.configsvc1.live.com.akadns.net, weu-azsc-config.officeapps.live.com, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, onedscolprdcus16.centralus.cloudapp.azure.com, ocsp.digicert.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, a1864.dscd.akamai.net
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 92176860-bfc1-4782-8eaf-f5d7893598cd.eml

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Receipt.htm	Get hash	malicious	Unknown	Browse	13.107.246.45
	weekly-finances-report.xlsx	Get hash	malicious	KnowBe4	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.45
	https://www.guidedtrack.com/programs/n5snx1a/run	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.45
	https://1rkzzyapew.beefreedesign.com/EfTl-assets-eurmktdynamics	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://onedrivefileaccess.uwu.ai/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.leadsonline.ca	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://joseordenes.com/n/?c3Y9bzM2NV8xX3ZvaWNlJnJhbmQ9TUZCc01WYz0mdWlkPVVTRVIyODEwMjAyNFUxOTEwMjgxMA==N0123N%5BEMAIL%5D	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.45
	http://wesiakkaernten.fibery.io/@public/forms/gBNXdAWE	Get hash	malicious	Unknown	Browse	13.107.246.45

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.389314629851261
Encrypted:	false
SSDEEP:	3072:/AguNIgzmiGu2FqoQVrt0FvY8RJIa7ZEVt:/ovmi2oY/Ia7ZE/
MD5:	DBDA09AD9D04409EF35CEC4F93DBD069
SHA1:	04D66011F16CC5A5947C46AD7DC0BEC919155B63
SHA-256:	4C31BE7A1E37F210A23E2992F630B4E5EA9FEB3E6D7058E6E8FAE6F7D0639BE7
SHA-512:	0EF7165638160D14941614976400494599766BE22C9A1E3916D44F4952D6F5DCF1525C4943B26AF893560561A292AF8FD2E30A20DBED65FE20C02D3320A3F972
Malicious:	false
Reputation:	low
Preview:	TH02...... .`..........SM01X...,..................IPM.Activity...........h...............h............H..h...............h............H..h\eng ...r\Ap...h....0.........h..e............h........_`.k...h..e.@...I.6w...h....H...8..k...0....T...............d.........2h...............k1.1...........!h.............. hJ3.f..........#h....8.........$h........8....."h.N.......O....'h..............1h..e.<.........0h....4.....k../h....h......kH..h...p.........-h .......4.....+h..e......................... ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	322260
Entropy (8bit):	4.000299760592446
Encrypted:	false
SSDEEP:	6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
MD5:	CC90D669144261B198DEAD45AA266572
SHA1:	EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:	89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:	16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:	false
Reputation:	high, very likely benign file
Preview:	51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	10
Entropy (8bit):	2.521928094887362
Encrypted:	false
SSDEEP:	3:LP4:T4
MD5:	EB631C5DE33DD1E518A12351D71E459D
SHA1:	55BCDA94503DC08621B45AD5C1FDD96D0D0E3EAD
SHA-256:	3624EBEC9B458E846810ED5D9885F5E5FE983D444C49B6A19E7D611304E024E7
SHA-512:	B32FAA23802E2E73BDC19D05BA811065B01EE26637D1F7DC846ADC3A6C615E274494A0364B16089A479F72AAF56DABE2CE138CF25FCC2423BA637CC5280314D7
Malicious:	false
Reputation:	low
Preview:	1730302261

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A8F9E485-F083-4F35-9CB8-CC7F1C643670

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	180288
Entropy (8bit):	5.291005464350608
Encrypted:	false
SSDEEP:	1536:Li2XfRAqFbH41gLEwLe7HW8QM/o/NMOcAZl1p5ihs7EXXOEADpOoagYdGVF8S7CC:RPe7HW8QM/o/aXbbkx
MD5:	EA6D9EBBFAED9F2ADB8AD972CF8A3F1B
SHA1:	D9125C4971E10F5AD482AA21717A352A0D844174
SHA-256:	E5F24D7710EBF7B090577865CF4BBC7347D445559ED93ECE87FE00AA6EFC2AC8
SHA-512:	C98A5F86DFBF4431C0F67FF21100CB51BEA79735F823E28245A2FFF612D176D5E19B7519803DC7D894A96FBF9C98BFBDDA84450C77473C3D897616591F1ABB4B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-30T15:30:54">.. Build: 16.0.18222.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04604146709717531
Encrypted:	false
SSDEEP:	3:GtlxtjlK5MkG15LSPZHIttlxtjlK5MkG15LSPBll7R9//8l1lvlll1lllwlvlllZ:GtqvPZ4tqvPB/F9X01PH4l942wU
MD5:	548D4D42DC15FA9DD1502D29C62DF1DB
SHA1:	5B5990C0BCE49C5EC16B266206E1F8EEC16907B2
SHA-256:	14BB1A723DA3324B59B961935174212089DD4047DF11CDB93490727BC1677582
SHA-512:	708138DF39395619DD1A149FAA7FE7FBCAF3DC0671642D66A26A9F4E287C649E84DD4BFB99B87BDF6F134D0F3F820D9C255658F6CABC95955F5AC793ED2A993A
Malicious:	false
Reputation:	low
Preview:	..-.....................N+.... .^Ac.M.H#Z..F....-.....................N+.... .^Ac.M.H#Z..F..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	49472
Entropy (8bit):	0.4828598879216872
Encrypted:	false
SSDEEP:	48:gauBQ1nUll7DYMuunzO8VFDYMj33lPBO8VFDYML:gA2ll4KzjVGUjjVGC
MD5:	35F0FAA6EA09342B1A6E1CAD1FB36287
SHA1:	AF7FEE63407EDCB922B698BD9850755F06ED54B6
SHA-256:	6DA0320AE1F3E7AA1841C19C2C122CF77127557E1FBFACDF62066317B137A79F
SHA-512:	3716F3E17FE38F65251D05E298A5E77B7C740AC61D2C3606AE1687141EFF845D33E5F72059B11188699B0C30AA7B99CD1DA298AECEE46152578D1408098E3BE1
Malicious:	false
Reputation:	low
Preview:	7....-..........^Ac.M.H#.JDq}z.c........^Ac.M.H#...;.c.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4C4D146E.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 93x68, components 3
Category:	dropped
Size (bytes):	2709
Entropy (8bit):	7.530160130287365
Encrypted:	false
SSDEEP:	48:AqNn2DeBCMJ3epsj3jldHdKL37D4E5dSLrEiXIWAZVG2OhVq2b79qmfVb:/2ynj3fC3+XEiYWCk20q2b35
MD5:	073F52628379906B180A3CA59C93A5BA
SHA1:	5C8F58F9B1BD7E7E5DB45FE736C279A19CEEA60C
SHA-256:	20A12727D16122730A6853658EB0395FE27742D9859A34B9E4DEEF8E6C99A06F
SHA-512:	2EDB3C35D63085CAEF1796F385C2DFF4B3E05DBA425A08C2B4BD0E0109A69F194FBFF4C76D69BF2ACFD458A7A54A3F0B2BDA60D764FBADFB818B45677C7CF878
Malicious:	false
Reputation:	low
Preview:	......Exif..II*.................Ducky.......<.....-http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Macintosh" xmpMM:InstanceID="xmp.iid:C38E4DC6D69E11E295C6D8EF5D1AE55F" xmpMM:DocumentID="xmp.did:C38E4DC7D69E11E295C6D8EF5D1AE55F"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C38E4DC4D69E11E295C6D8EF5D1AE55F" stRef:documentID="xmp.did:C38E4DC5D69E11E295C6D8EF5D1AE55F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9547CF1E-83BA-4C2F-A77F-A5272F511624}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	2780
Entropy (8bit):	3.449805153485938
Encrypted:	false
SSDEEP:	48:vGkp3c+L/UDqYclEXfGO4csGaZ1v6PLz8Jr:vGkp3c+rUDqyXIG+yn
MD5:	1DDAC8414F478104262B07E226F65457
SHA1:	35311980A74998D71A5BC78F09956AC6840141FC
SHA-256:	5AACF1F513D89C463EC8178D91BDBB5D58F6AF642B4EB6BA5AD5E036809D3335
SHA-512:	71BD241C89FEFA58D1AE9C3C589365CF811FE77CE014B09267C4F8F78BF3DF7495CFF315FE20B459A23BB923B7545488751C693DBE168C6F7CF2C751108C719A
Malicious:	false
Reputation:	low
Preview:	....S.u.c.c.e.s.s. .Y.o.u.r. .1. .p.a.g.e. .f.a.x. .h.a.s. .b.e.e.n. .s.u.c.c.e.s.s.f.u.l.l.y. .d.e.l.i.v.e.r.e.d. .t.o. .+.1.8.8.8.2.2.3.0.5.5.0... .T.r.a.c.k.i.n.g. .N.u.m.b.e.r.:. .6.1.1.-.2.5.3.5.8.8.4.7.6. .F.a.x. .N.u.m.b.e.r.:. .+...................................................................................................................................................................................................................................................................................................2...r...t...N...P...R...B...D...F...H...J...L...z..........................................................................................................................................................................................................................................................................d........$..$.If....:V.......t.....6......4........4........a.........d....*...$..$.If........!v..h.#v....:V.......t.....6......5.......4........4........a..

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730302250500204600_26E86ABB-3F2B-4028-B3CF-DD1F1FF2BE67.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28770), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.16041076361850262
Encrypted:	false
SSDEEP:	1536:alonO3kATP4Cv34T0WycLeZ1D6k+eJ2UBBK8pmpjf9IdVBmn:w3HsCvsXqZ55
MD5:	13CE0E9A236B3DFE9BB1D189933D4F14
SHA1:	EA955D626D9452573E1427166F46010962DEAFE1
SHA-256:	B7AF8359BF29B517A5F0BF991AE30DE3320D5A681937EFE95DCB201535F2E4C3
SHA-512:	B267A4B44AB431C12F5A1EF42420CABBCC91DAD2B0DD2B69C228A9A3C29B1DB739B2B8EB2058C07FD12759F02A8986C08B0EF8BBB4EEE182228B0A8B776CEACA
Malicious:	false
Reputation:	low
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/30/2024 15:30:50.539.OUTLOOK (0xAA8).0x14D0.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-30T15:30:50.539Z","Contract":"Office.System.Activity","Activity.CV":"u2roJis/KECzz90fH/K+Zw.4.9","Activity.Duration":13,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/30/2024 15:30:50.554.OUTLOOK (0xAA8).0x14D0.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-10-30T15:30:50.554Z","Contract":"Office.System.Activity","Activity.CV":"u2roJis/KECzz90fH/K+Zw.4.10","Activity.Duration":12189,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730302250501167000_26E86ABB-3F2B-4028-B3CF-DD1F1FF2BE67.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T1130490476-2728.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	4.511469221510684
Encrypted:	false
SSDEEP:	3072:AL4VTPZsJdKJODA4LiMk0jz6Q4yE/hAwP8QEADWPkh+YXLFA+ZV9FqcOberu1J9z:FIQnUnULYUHzaBMa
MD5:	8E35E622F845A976A8E7C421E239A1FE
SHA1:	15CFD4A714D66086FD51AF633E34E61BC968BDB0
SHA-256:	69A225E72D7A545713E623F3EBD9842201657B5B3645BDBCE9F4E730A8F69EAE
SHA-512:	8BFA65B7F8D8A3EDF50FDDCAE2B191BEB8DD7888AE68210E8074E999736EDF039536C3F0FC06F24C1C15DAF264BC4E3B6C2BC3924270DF4866613287AA8C0013
Malicious:	false
Preview:	............................................................................f.................................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................R.lJ.........................v.2._.O.U.T.L.O.O.K.:.a.a.8.:.3.c.c.e.e.2.c.2.4.c.9.2.4.f.7.2.b.4.c.6.e.8.0.f.6.e.1.8.4.6.c.8...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.3.0.T.1.1.3.0.4.9.0.4.7.6.-.2.7.2.8...e.t.l.........P.P.............*..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:e2I:e
MD5:	DFC5C2CC47C374F43741D4C072E4652A
SHA1:	E46BDCD8CB79C83E5B1C2B71D428EEA6DBF456AD
SHA-256:	F8F90ADF1A1D0EBA293A282C9EC6C169708CB0723028A2560FDBAAD9207F15A2
SHA-512:	E39358CBD1D03FDFFB58FD672D05FBB2A4FF6DF31D3AA4DA0E487E34A31005CF21B5F5F1FAE0CCBD5B5D8D01B65952092AA443AF09CB9AF12955B05CED460485
Malicious:	false
Preview:	....).........................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.6697090518409474
Encrypted:	false
SSDEEP:	12:rl3baF0qLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheC8O2:r+mnq1Py9618R
MD5:	8BD9FED483E9EF82206E419C3A7976E4
SHA1:	43B98D12D8C53CCB8780F5334C72522E71043C25
SHA-256:	CF482D45A5CDAFAC9775EEC1FBBD86C9A4B2328AC736001DE314EE869DD514A1
SHA-512:	1F9FEA24A03CBA2262F2FC48E15876F3621493E0C193C87D8BFF747A1C1F3634D0B532340A7FACCE35E5C941EC7A70706D055A99FEE5210ED6BF6DE879926A7D
Malicious:	true
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	2.7850392507775426
Encrypted:	false
SSDEEP:	1536:2oNThqRxp5ymkgSYED5rVXUbLwyp5yvRpl1nJYZA4W53jEpEHP4qQ10PAwrjVgfS:F9hY5BzPB5kl1ntap9g+hp9
MD5:	16D706399B4872DE538309D7E21B14F7
SHA1:	A2B07CACB7F78A71DA4379C306EFD6A74A375800
SHA-256:	A921B0308B514A170DECB217EED23AFF03AD6EAD00267FFD6FCF513150329944
SHA-512:	7CD2F000D71FB59D7980F46A5B773EDD23C73D0C820652C98779AC993D768BFA7BD56AA1BDFFCD745A5670FEE18054B4A7EEFE8F9DBCFCB74078C6A977094570
Malicious:	true
Preview:	!BDN..`SM......\....~..................[................@...........@...@...................................@...........................................................................$.......D...........................................................................................................................................................................................................................................................................................................................................xO...e.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	2.8059200598982836
Encrypted:	false
SSDEEP:	1536:dW53jEpEHP4qQ10PAwr1sg2mnW53jEpEHP4qQ10PAwrwioDTYHgty:Lp9kHpp9bB+uy
MD5:	321A394053C9617AF44529C7E3D91234
SHA1:	93F2574FCFD17DCD0301070EB60E0956521AD1D4
SHA-256:	1F10FD0898290BF31254D9B45F97E6FE59325A0D7F3C7904717399173C1A1E52
SHA-512:	444805D8F8634D56B1459A14792C03EA327D5F18FE597534877493C7F14C3B0A0AE25092265272FCA196D256511F64BD4C2AB941FE36B0DBC9E72CD0A5B8D6E1
Malicious:	true
Preview:	.X..C...o...........qC......................#.!BDN..`SM......\....~..................[................@...........@...@...................................@...........................................................................$.......D...........................................................................................................................................................................................................................................................................................................................................xO...e.qC.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, ASCII text, with CRLF line terminators
Entropy (8bit):	6.0088938402325605
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	92176860-bfc1-4782-8eaf-f5d7893598cd.eml
File size:	26'364 bytes
MD5:	6663fdbb4c31fb654c6c6a533411ae88
SHA1:	2e35290820a229d7a1f8d2850b69829adb8a9764
SHA256:	e55bcda86788de4a7c3901aef514a883b87bba6c02d08605ff3720abbb642e48
SHA512:	6282a9be71bb6f2550f9b5a0c51a8c1faf159fddbdf2d9d5ac7efec5321e1b7a16f5211f313a83d5cdab7252a48f7d4b870c3f510764145edd696d2ff784458a
SSDEEP:	384:HLTO8WDB8ICBNJJO2SzTT0f5qZObI1T9+WQgWvXBFb3hDIIDLVIRIoLl//re:HZgaRNJ02wObkTAWQgWvXBFb3hDHsR/6
TLSH:	8DC25C62F5C1541686624135F8027F2E7B72744A93324AB0BC67727F0AC986B7F6738A
File Content Preview:	Received: from SJ0PR13MB5621.namprd13.prod.outlook.com (2603:10b6:a03:420::7).. by SA1PR13MB6712.namprd13.prod.outlook.com with HTTPS; Tue, 29 Oct 2024.. 15:51:11 +0000..Received: from SA9PR10CA0002.namprd10.prod.outlook.com (2603:10b6:806:a7::7).. by SJ0

Static Mail

General

Subject:	SUCCESS: Your 1 page fax has been successfully delivered to +18882230550.
From:	ctnotify@concord.net
To:	jlumbi@ceenta.com
Cc:
BCC:
Date:	Tue, 29 Oct 2024 08:50:59 -0700
Communications:	Success Your 1 page fax has been successfully delivered to +18882230550. Tracking Number: 611-253588476 Fax Number: +18882230550 Recipient: Time Delivered: 10-29-2024 11:?50 AM Pages Delivered: 1 This is a system generated message, please do ZjQcmQRYFpfptBannerStart Double Check Sender's Identity This is an unknown sender. Do not open any attachments or links unless you are CERTAIN it is safe to do so. <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/C8I-Dec!hcGqyqxWwJCIzR2VwADewiOvD4Ozh9u1BI4288hnM0ftcZrT-nUb4d1_uvqc4Qn_VBsi01xIWHINox4KvYUDNS8IeDS5LgyGnY7U$> Report Suspicious ZjQcmQRYFpfptBannerEnd [cid:002401ce7758$4f5b8c24$_CDOSYS2.0] Success Your 1 page fax has been successfully delivered to +18882230550. Tracking Number: 611-253588476 Fax Number: +18882230550 Recipient: Time Delivered: 10-29-2024 11:50 AM Pages Delivered: 1 This is a system generated message, please do not reply. Confidentiality: The information in this electronic mail may contain confidential, sensitive and/or protected health information intended only for the addressee(s). Any other person, including anyone who believes he/she might have received it due to an addressing error, is requested to notify this sender immediately by telephone and/or return e-mail, and shall delete it without further reading and retention. The information shall not be forwarded or shared. Intentional interception or dissemination of electronic mail not belonging to you may violate Federal or State law.
Attachments:

Headers

Key	Value
Received	from Concord.Net (chi-ppr15.platform.local [192.168.9.68]) by c3-chi-mailob1.concord.net (Postfix) with ESMTP id 842B93605B1 for <jlumbi@ceenta.com>; Tue, 29 Oct 2024 08:32:48 -0700 (PDT)
Authentication-Results	spf=fail (sender IP is 64.128.68.13) smtp.mailfrom=concord.net; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from=concord.net;
Received-SPF	Fail (protection.outlook.com: domain of concord.net does not designate 64.128.68.13 as permitted sender) receiver=protection.outlook.com; client-ip=64.128.68.13; helo=mail.ceenta.com;
Authentication-Results-Original	ppops.net; spf=pass smtp.mailfrom=ctnotify@concord.net; dmarc=pass header.from=concord.net
Content-Class	urn:content-classes:message
X-MimeOLE	Produced By Microsoft MimeOLE V6.2.9200.16384
Date	Tue, 29 Oct 2024 08:50:59 -0700
Content-Type	multipart/related; boundary="----=_NextPart_000_0228_01CE7736.C84AAEC0"
From	ctnotify@concord.net
Subject	SUCCESS: Your 1 page fax has been successfully delivered to +18882230550.
To	jlumbi@ceenta.com
Message-ID	<991EDCA1FA530463FC5CD32CC5038D03BD57234D@CHI-PPR15>
X-CLX-Response	1TFkXGRIeEQpMehcbGBwRCllEF2kefE0YbX9iXEl5EQpYWBdlBW9laWR6RRx hYhEKeE4XZWliU0FkQG9oW38RCnlMF2NMXUJ5HGdbaWRLEQpDSBcHGB8YEQpDWRcHHxoTEQpDSR caBBoaGhEKWU0XZ2ZyEQpZSRcacRoQGncGGRwecR4ZGBsQGncGGBoGGhEKWV4XaGN5EQpJRhdJT 09EXkt1QkVZXk9OEQpJRxd4T00RCkNOF21edW8SEhtfUHtwS1hYQnofX2x6Gh9oE3VnbAdSX2Jb EQpYXBcfBBoEGR0dBRsaBBsbGgQbGR4EGR8QGx4aHxoRCl5ZF098W0FpEQpNXBcYEhsRCkxaF2l raU1NTREKRVkXb2trEQpCTxdpEmZgUntITF5OcxEKQ1oXHgQfGQQbEx4EGxgbEQpCXhcbEQpCRR dlBW9laWR6RRxhYhEKQk4XZWliU0FkQG9oW38RCkJMF2UFb2VpZHpFHGFiEQpCbBdlBW9laWR6R RxhYhEKQkAXYB1hYURAUhsaXV4RCkJYF29gZkR4Hh4eSU5EEQpNXhcbEQp5Qxd6SFJrQX0BQHta UBEKWUsXExIcHREKcGgXZBNCTExlfk1ERWUQEhIRCnBoF20dZRlmU2NuGnxEEBIfEQpwaBdkYRt BR1oZSAEcExAbGh4RCnBoF2FEZEQffUtifRJDEBIfEQpwaBdpQF5gbkFsYGN5XRASHxEKcGgXen BAYhtaWG1CXEIQEh8RCnBoF2B5fm98Q11BGkwFEBkaEQpwaBdkHx4ccGIbSB5nEhAbGBwRCnBjF 29OYWR8aX4BR2QYEBMaEQptfhcbEQpYTRdLESA=
X-Authority-Analysis	v=2.4 cv=HPORFZtv c=1 sm=1 tr=0 ts=67210467 cx=c_pps a=A2fxFcLfd1qLFnlwqp5sKQ==:117 a=A2fxFcLfd1qLFnlwqp5sKQ==:17 a=MgOwiCuZ2-vtBMHc:21 a=DAUX931o1VcA:10 a=wlAbEOAKiVApD66TXI0A:9 a=wPNLvfGTeEIA:10 a=SSmOFEACAAAA:8 a=DJwwaaJ2o3yt35Ke:21 a=_W_S_7VecoQA:10 a=lqcHg5cX4UMA:10 a=s_KHD6aHcoUgXWm27CaZ:22 a=bIDyNstBer9YIwb4KIAA:9 a=KQqxNPgzF0kA:10
X-Proofpoint-GUID	Gt_E881uzQZarrhP5uFP05B9_MF-xuHq
X-CLX-Shades	MLX
X-Proofpoint-ORIG-GUID	Gt_E881uzQZarrhP5uFP05B9_MF-xuHq
X-Proofpoint-Banner-Trigger	unknownsender
X-Proofpoint-Virus-Version	vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-29_11,2024-10-29_01,2024-09-30_01
X-Proofpoint-Spam-Details	rule=inbound_notspam policy=inbound score=0 bulkscore=0 unknownsenderscore=20 mlxscore=0 spamscore=0 mlxlogscore=256 clxscore=384 priorityscore=126 impostorscore=0 lowpriorityscore=0 suspectscore=0 phishscore=0 malwarescore=0 adultscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2409260000 definitions=main-2410290121 domainage_hfrom=9867
Return-Path	ctnotify@concord.net
X-OrganizationHeadersPreserved	SP-EXCHANGE.ceenta.com
X-MS-Exchange-Organization-ExpirationStartTime	29 Oct 2024 15:51:04.3127 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	8ec46a17-e52c-4452-5de6-08dcf8317ebc
X-EOPAttributedMessage	0
X-MS-Exchange-Organization-MessageDirectionality	Originating
X-CrossPremisesHeadersPromoted	SA2PEPF000015C9.namprd03.prod.outlook.com
X-CrossPremisesHeadersFiltered	SA2PEPF000015C9.namprd03.prod.outlook.com
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	SA2PEPF000015C9:EE_\|SJ0PR13MB5621:EE_\|SA1PR13MB6712:EE_
X-MS-Exchange-Organization-AuthSource	SP-EXCHANGE.ceenta.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-OriginatorOrg	ceenta.com
X-MS-Office365-Filtering-Correlation-Id	8ec46a17-e52c-4452-5de6-08dcf8317ebc
X-MS-Exchange-Organization-SCL	1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|3072899012\|3092899012\|82310400026\|4073199012\|5073199012\|13012899012\|12012899012\|2092899012\|13102899012\|5062899012\|4092899012\|4076899003\|8096899003;
X-Forefront-Antispam-Report	CIP:64.128.68.13;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.ceenta.com;PTR:autodiscover.ceenta.com;CAT:NONE;SFS:(13230040)(3072899012)(3092899012)(82310400026)(4073199012)(5073199012)(13012899012)(12012899012)(2092899012)(13102899012)(5062899012)(4092899012)(4076899003)(8096899003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	29 Oct 2024 15:51:04.1721 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id	8ec46a17-e52c-4452-5de6-08dcf8317ebc
X-MS-Exchange-CrossTenant-Id	97bf5e89-559d-4b3e-997e-c4ee27dbd4cf
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp	TenantId=97bf5e89-559d-4b3e-997e-c4ee27dbd4cf;Ip=[64.128.68.13];Helo=[mail.ceenta.com]
X-MS-Exchange-CrossTenant-AuthSource	SP-EXCHANGE.ceenta.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped	SJ0PR13MB5621
X-MS-Exchange-Transport-EndToEndLatency	00:00:07.1116096
X-MS-Exchange-Processed-By-BccFoldering	15.20.8093.023
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	F6fmie7h6VsyOZgYyCmpmdjCylbXErTMYCq4AHQsWOZeEnu9wHImJ8jY98qiDSVzX8I7CoIawMXaaTcjFcpiAjIlqdOJ4V7hdzNGr+ba/v4ViomB1mCI+qfwtugn4K2N9CvwP4YVcugQLoRMF+TFuPKdgO+kfqZHIgR42xQw8HWRC2QtoX9Pwu+YmGO/LKe0n0uAihPsQNOwve9Ar0tG8TidbLpvAdEKpY/saJTxgiyY+wPZ1r30L0dhogOQTCG72tPOKJdEYy2W/D9E/2KrpG6HLFPeWiWosCLyhXYRm1SyI6Xvdbx/s94DTPkpJQuSrwNMAgbOvWdhgpIhbXiHWp0DzOouzKq/Ft0YUyQJsJ4MCh9uGOUovvf8nOxeywQjxXXlEHjPuMH7TY2jLxVQ9Ob7SvZ13N4ayXw/dGvhLkxVbH99ifRAXGOKDyyxbrRrK2YFrd7A2F2LI2BxvReEVqF2iExlRq+nlCrLL3M3A1Yi27cBF0HskkMCVNSRVrqtmVTj+i3gv969FxAeDyx+WqZJL+WGXvqu0HCmjgUtu+WFuwNVhfKFOKS6YdGVlHTFcccBOmXhQ0j8hPB229CQphyf0nfDxJTkr2bpOblc2/hYKzTIj0vDV0uqYJFWtvMOf2HuapkPtatTMkUU5M3w618G828j6BTRL4/2/X2vXv5nbxM8mcrP9SM/5bEIzX9HUQTCj+1XsFcyWgyTOvLALbxJ8NgZBTLotzG3SAhoIMNpJW8o9Szb9+uc175nhZxiBXD4hdKb+sG5Myf0+bIzAdZRhhYtQFszmmhDbeEsBsv8Tt8aRqSqfeQp/rV56qL3ozGr6Dptu0z6i9o/l1tsR9ELO6y81/2OlTSeJZ0fxcXIA75M8Vys6oAXCNSvjqqzqDOybXs1r6oRkh3lavLMPcfb0Xp8Z2H9Dkpjo6mfH9QOIqr1/KnC0xArv49YYqFUwxYQx8em/97YxVh30IgjpxG40ppTGRHrpx7p9egMAXUlxTfBHPatW3heez48t32iXrJE9f0jQTNtUfGGE0IEyktZdBXUbuf6eCqtO+LTRniaR27WZudKXqT1yfHIgrc6XcmAXFyzajhqgUwmE815p/kBjgV+WknY7KZQTflFb9bpSPrWgOLpIsgFRw+NhH6XLYBmJtk7NcrpKT1aeMEe2a6UXzKFHCOiF0jAsdyGjAWjQ/my7Lz/TBANbdQCbUB7kZzc6tqEzKNeCzbvUq1xfCoBLdyjmrdc/fmu7NtJ4kQ0LNf0yUE6EU5rCmWsYwsym1ftuihFtxb+atE3UEbEl8Djt+1+ICqcTf1WBy7svP9cWIBIOVgRDsCtwTO56EeoU8nHyi2XXoKxBccVogmEvSIguddsO0rT5I3QOEbFPfQuUnZfc2G/a1+n7h3B/vBlqxdxal2HXj1Ho8VabAeAnYuOXZbdKgHnCd4Sg6TgIgWt9hMYELP5QHwNhFnAYL2dwpDuf7MaZmsZNZ+mUxMkUp9/9a2zwpj27PYRr+541P/bmyiB3u2mJOymnRnM3JdGLDfHxPASpPH5t44YMtc9udqbW1ZytPjEzDFMTXp+QGlkf8Q/ujNOkPHscT0Qbz1SjpO//hiPOH8YKrSHtY4xRU94DJCWDEIs3NoDNxQwHzMHx5SYwDoGYUoZiUxIL1zZtIR+C/oooeex1MVyEEM5Il9bwVJSM+gCcZj7ex6K39OM8onO6cejhGsiHp18Ua/RLIxHSjlqAa1S8lTdJGZhAwIs2EfgoUtpfq25QITYpzf9SogG5PMedp+4bMuJSB2kf/Mpm2/m6zqi5Hj6lTthXNGc0mksjhxELecUmPRn+BqQ+Z1WT3G5S00bWzPdoO118kTTtryepENZ11nqq3cWe2YauFBY//eKpc0kQCB0HIpittzLIPrw2ItoCRiiaes5/5OvQ2RCmZZZ4HaCUFGT2Q==
MIME-Version	1.0

File Icon


Icon Hash:	46070c0a8e0c67d6

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 16:30:41.837973118 CET	1.1.1.1	192.168.2.6	0x8613	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 16:30:41.837973118 CET	1.1.1.1	192.168.2.6	0x8613	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:30:45
Start date:	30/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\92176860-bfc1-4782-8eaf-f5d7893598cd.eml"
Imagebase:	0x810000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:30:56
Start date:	30/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "986BD8EA-825D-401F-A448-0312EE8BF5BB" "30F4AF64-9C6A-4917-A971-93C8065FCA57" "2728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff663d80000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 92176860-bfc1-4782-8eaf-f5d7893598cd.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A8F9E485-F083-4F35-9CB8-CC7F1C643670

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4C4D146E.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9547CF1E-83BA-4C2F-A77F-A5272F511624}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730302250500204600_26E86ABB-3F2B-4028-B3CF-DD1F1FF2BE67.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730302250501167000_26E86ABB-3F2B-4028-B3CF-DD1F1FF2BE67.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T1130490476-2728.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
92176860-bfc1-4782-8eaf-f5d7893598cd.eml