Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Voglio essere il tuo segreto piu profondo il tuo confidente..msg

Overview

General Information

Sample name:Voglio essere il tuo segreto piu profondo il tuo confidente..msg
Analysis ID:1545887
MD5:71f26efab530b8ab51af5e22d23061b9
SHA1:bbc5040bf48ab5137a4ecf4b6f7ac3e528275a62
SHA256:e590660290830aaccc401e576581aa76e618c1b075ad8877c65408ab3c70ca1f
Infos:

Detection

Score:21
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

AI detected potential phishing Email
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 5820 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Voglio essere il tuo segreto piu profondo il tuo confidente..msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 2940 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5AD6BAF7-0435-4FA5-B83B-916B9126B7DB" "44F063DC-8E07-4497-AD1D-24953602D4D2" "5820" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5820, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Outlook Security Settings Updated - Registry
Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\2I4P3J35\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5820, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: Voglio essere il tuo segreto piu profondo il tuo confidente..msgString found in binary or memory: https://aka.ms/LearnAboutSenderIdentification.
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.aadrm.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.aadrm.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.cortana.ai
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.office.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.onedrive.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://api.scheduler.
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://app.powerbi.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://augloop.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://canary.designerapp.
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cdn.entity.
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://clients.config.office.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://clients.config.office.net/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cortana.ai
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cortana.ai/api
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://cr.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://d.docs.live.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://dev.cortana.ai
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://devnull.onenote.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://directory.services.
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ecs.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://graph.windows.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://graph.windows.net/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://invites.office.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://lifecycle.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://login.windows.local
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://make.powerautomate.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://management.azure.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://management.azure.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://messaging.office.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://mss.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ncus.contentsync.
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://officeapps.live.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://onedrive.live.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://outlook.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://outlook.office.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://outlook.office365.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://outlook.office365.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://res.cdn.office.net
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://service.powerapps.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://settings.outlook.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://staging.cortana.ai
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://substrate.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://tasks.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://wus2.contentsync.
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: sus21.winMSG@3/20@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241031T0417190291-5820.etlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Voglio essere il tuo segreto piu profondo il tuo confidente..msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5AD6BAF7-0435-4FA5-B83B-916B9126B7DB" "44F063DC-8E07-4497-AD1D-24953602D4D2" "5820" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5AD6BAF7-0435-4FA5-B83B-916B9126B7DB" "44F063DC-8E07-4497-AD1D-24953602D4D2" "5820" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior

Persistence and Installation Behavior

barindex
AI detected potential phishing Email
Source: EmailLLM: Detected potential phishing email: The sender email (perrone@talktalk.net) doesn't match the claimed identity (Alina from Kazakhstan)
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
84.201.210.22
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://login.microsoftonline.com/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://shell.suite.office.com:14430E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://designerapp.azurewebsites.net0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://autodiscover-s.outlook.com/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://useraudit.o365auditrealtimeingestion.manage.office.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office365.com/connectors0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cdn.entity.0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.addins.omex.office.net/appinfo/query0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://clients.config.office.net/user/v1.0/tenantassociationkey0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://powerlift.acompli.net0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://rpsticket.partnerservices.getmicrosoftkey.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://lookup.onenote.com/lookup/geolocation/v10E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cortana.ai0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.powerbi.com/v1.0/myorg/imports0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
    • URL Reputation: safe
    		unknown
    https://notification.m365.svc.cloud.microsoft/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
      		unknown
      https://cloudfiles.onenote.com/upload.aspx0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
      • URL Reputation: safe
      		unknown
      https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
      • URL Reputation: safe
      		unknown
      https://entitlement.diagnosticssdf.office.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
      • URL Reputation: safe
      		unknown
      https://api.aadrm.com/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
      • URL Reputation: safe
      		unknown
      https://ofcrecsvcapi-int.azurewebsites.net/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
      • URL Reputation: safe
      		unknown
      https://canary.designerapp.0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
      • URL Reputation: safe
      		unknown
      https://ic3.teams.office.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
      • URL Reputation: safe
      		unknown
      https://www.yammer.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
      • URL Reputation: safe
      		unknown
      https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
      • URL Reputation: safe
      		unknown
      https://api.microsoftstream.com/api/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
        		unknown
        https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
        • URL Reputation: safe
        		unknown
        https://cr.office.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
        • URL Reputation: safe
        		unknown
        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
          		unknown
          https://messagebroker.mobile.m365.svc.cloud.microsoft0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
          • URL Reputation: safe
          		unknown
          https://otelrules.svc.static.microsoft0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            		unknown
            https://portal.office.com/account/?ref=ClientMeControl0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            • URL Reputation: safe
            		unknown
            https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            • URL Reputation: safe
            		unknown
            https://edge.skype.com/registrar/prod0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            • URL Reputation: safe
            		unknown
            https://graph.ppe.windows.net0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            • URL Reputation: safe
            		unknown
            https://res.getmicrosoftkey.com/api/redemptionevents0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            • URL Reputation: safe
            		unknown
            https://powerlift-frontdesk.acompli.net0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            • URL Reputation: safe
            		unknown
            https://tasks.office.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            • URL Reputation: safe
            		unknown
            https://officeci.azurewebsites.net/api/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            • URL Reputation: safe
            		unknown
            https://sr.outlook.office.net/ws/speech/recognize/assistant/work0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.scheduler.0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
            • URL Reputation: safe
            		unknown
            https://my.microsoftpersonalcontent.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
              		unknown
              https://store.office.cn/addinstemplate0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
              • URL Reputation: safe
              		unknown
              https://api.aadrm.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
              • URL Reputation: safe
              		unknown
              https://edge.skype.com/rps0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
              • URL Reputation: safe
              		unknown
              https://outlook.office.com/autosuggest/api/v1/init?cvid=0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                		unknown
                https://globaldisco.crm.dynamics.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://messaging.engagement.office.com/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://dev0-api.acompli.net/autodetect0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://www.odwebp.svc.ms0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.diagnosticssdf.office.com/v2/feedback0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.powerbi.com/v1.0/myorg/groups0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://web.microsoftstream.com/video/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.addins.store.officeppe.com/addinstemplate0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://graph.windows.net0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://dataservice.o365filtering.com/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://officesetup.getmicrosoftkey.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://analysis.windows.net/powerbi/api0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://prod-global-autodetect.acompli.net/autodetect0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://substrate.office.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://outlook.office365.com/autodiscover/autodiscover.json0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://consent.config.office.com/consentcheckin/v1.0/consents0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                • URL Reputation: safe
                		unknown
                https://notification.m365.svc.cloud.microsoft/PushNotifications.Register0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                  		unknown
                  https://d.docs.live.net0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                    		unknown
                    https://safelinks.protection.outlook.com/api/GetPolicy0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ncus.contentsync.0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      		unknown
                      https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://weather.service.msn.com/data.aspx0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://apis.live.net/v5.0/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://officepyservice.office.net/service.functionality0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://templatesmetadata.office.net/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://messaging.lifecycle.office.com/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://mss.office.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://pushchannel.1drv.ms0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://management.azure.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://outlook.office365.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://wus2.contentsync.0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://incidents.diagnostics.office.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://clients.config.office.net/user/v1.0/ios0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://make.powerautomate.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.addins.omex.office.net/api/addins/search0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://insertmedia.bing.office.net/odc/insertmedia0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://outlook.office365.com/api/v1.0/me/Activities0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.office.net0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://incidents.diagnosticssdf.office.com0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://asgsmsproxyapi.azurewebsites.net/0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://clients.config.office.net/user/v1.0/android/policies0E5B4C1E-DE85-4540-AA97-DB241CA7AC03.0.drfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1545887
                      Start date and time:2024-10-31 09:16:11 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 56s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:7
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Voglio essere il tuo segreto piu profondo il tuo confidente..msg
                      Detection:SUS
                      Classification:sus21.winMSG@3/20@0/0
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .msg

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.109.76.243, 93.184.221.240, 2.19.126.160, 2.19.126.151, 13.89.179.11
                      • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, wu.azureedge.net, neu-azsc-000.roaming.officeapps.live.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, wu-b-net.trafficmanager.net, a1864.dscd.akamai.net, ecs.office.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, onedscolprdcus15.centralus.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.c
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: Voglio essere il tuo segreto piu profondo il tuo confidente..msg

                      Simulations

                      Behavior and APIs

                      No simulations

                      LLM Input / Output

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com0438.pdf.exeGet hashmaliciousUnknownBrowse
                      • 84.201.210.37
                      67JPbskewt.exeGet hashmaliciousUnknownBrowse
                      • 84.201.210.35
                      https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9Get hashmaliciousUnknownBrowse
                      • 217.20.57.34
                      https://cosiosos.com.de/7i2ko/Get hashmaliciousHTMLPhisherBrowse
                      • 217.20.57.18
                      https://www.leadsonline.caGet hashmaliciousUnknownBrowse
                      • 217.20.57.34
                      PRESUPUEST.exeGet hashmaliciousAsyncRATBrowse
                      • 217.20.57.19
                      NUEVA ORDEN DE COMPRA 73244.xla.xlsxGet hashmaliciousUnknownBrowse
                      • 217.20.57.34
                      scan1738761_rsalinas@wcctxlaw.com.pdfGet hashmaliciousHTMLPhisherBrowse
                      • 84.201.210.37
                      https://forms.office.com/Pages/ShareFormPage.aspx?id=w0PqEzPG80GlVpQ2KYlCgotli86l81ZCgGQV0R07kYhUMDlNVzY4TDhNS0pGV0pGVENBVVNGTURFTi4u&sharetoken=3AKcsZjmxuGhgr7rDwU0Get hashmaliciousUnknownBrowse
                      • 84.201.210.21
                      https://deedayoshayoatmetoback.me/whatever/toni/kross/hala/mbappe/sanchez/mark/tremble/awee/rgguuu/us/invite/Get hashmaliciousUnknownBrowse
                      • 217.20.57.26

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                      Category:dropped
                      Size (bytes):4770
                      Entropy (8bit):7.946747821604857
                      Encrypted:false
                      SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                      MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                      SHA1:719C37C320F518AC168C86723724891950911CEA
                      SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                      SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):338
                      Entropy (8bit):3.1667070084421374
                      Encrypted:false
                      SSDEEP:6:kKdPXwN+SkQlPlEGYRMY9z+s3Ql2DUevat:NPkPlE99SCQl2DUevat
                      MD5:7A4478A4F7B35DCB82FF74D46E45FFCF
                      SHA1:6F9FB3EB3651AC8CBD481F9286CB7D555F6F1910
                      SHA-256:EE86EAFEE9B133ED69E480216D5BA901EA822C1311FE2B90A34E7A45CBCC96E7
                      SHA-512:81EB1211CCF7F86440E51DA0EE8EACFA8D1EE537435626F8D78F45A52D7C573D143460D16A9B7A52161EEF290DBCE078F494D65855798C25743B99268D89DA8B
                      Malicious:false
                      Reputation:low
                      Preview:p...... ........IH.Rm+..(....................................................... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                      C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):231348
                      Entropy (8bit):4.397251162027248
                      Encrypted:false
                      SSDEEP:1536:RdYLxbgs7zA8IxytjgsjBNcAz79ysQqt2/LoCqoQrSrcm0Fv/8Yys1hbL7YAZLVt:Udg6SggimiGu2BqoQ+rt0FvEATtQUOl6
                      MD5:53E08E8C3074BCA970CB18BC80E160C0
                      SHA1:82B81779F8829DC944A9B20B12134E5ED1A88169
                      SHA-256:882BC22B903EAAD4B92AA7F7584A5EC7FEF0F7EAA23948FD19259E95F19CAA3E
                      SHA-512:8D39BAD5E61700A12B46FC0ACB1C8E5AE671F2EF4C5DD1BDF64A8C7878D9C38B00B6126C6E891CA0E95AFFAD8F5F0A38A74E9F8E31203A6B84E64A374B1B64B6
                      Malicious:false
                      Reputation:low
                      Preview:TH02...... .PP.Am+......SM01X...,...p..Am+..........IPM.Activity...........h...............h............H..h.]...........h.........{..H..h\alf ...AppD...hhn..0...(.]....h..............h........_`.j...h...@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. hv.......@.]...#h....8.........$h.{......8....."h@f......0g....'h..............1h...<.........0h....4.....j../h....h......jH..hXS..p....]...-h .......l.]...+h.......]................. ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:ASCII text, with very long lines (65536), with no line terminators
                      Category:dropped
                      Size (bytes):322260
                      Entropy (8bit):4.000299760592446
                      Encrypted:false
                      SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
                      MD5:CC90D669144261B198DEAD45AA266572
                      SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
                      SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
                      SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:ASCII text, with no line terminators
                      Category:modified
                      Size (bytes):10
                      Entropy (8bit):2.9219280948873623
                      Encrypted:false
                      SSDEEP:3:LJP:VP
                      MD5:FA3EE7A599ABB883A781CE0AA2C290FD
                      SHA1:B88866C3BF10E797A9B2667CD439E10FF7CD4E8F
                      SHA-256:C44D531FA08BC4AF241438B3AA37E9E45D02100BA8B00157A2E6E6EB3DF72715
                      SHA-512:BCB2E1E8FB2C4D8561218DEFABE62C15056855639C1B748CB03A317FF51FD9307BB45D0E0EDD2421F1CD56A793A63A2BD1C70F0A09FB0A4075270BFDA6D2C4C2
                      Malicious:false
                      Reputation:low
                      Preview:1730362648

                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0E5B4C1E-DE85-4540-AA97-DB241CA7AC03

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):180288
                      Entropy (8bit):5.290996447539795
                      Encrypted:false
                      SSDEEP:1536:Gi2XfRAqFbH41gLEwLe7HW8QM/o/NMOcAZl1p5ihs7EXXOEADpOoagYdGVF8S7CC:wPe7HW8QM/o/aXbbkx
                      MD5:6746586F5A74859FE8A6A758E506B6E9
                      SHA1:DC27536A5037723799B0D5DFA30F76D913541546
                      SHA-256:5FD9ED012EB1BA63784F401E02E0EDDC9966C442108266D9F2C1126B19D2C8D5
                      SHA-512:49CB2F69F3FDE36D11DF1A30DE8F29933AA040F7BEFC7665D2371B4A8D36EBE9EE7137B097B5B7E6DF13A84484567FEA8C29CC96A1A5911F97CB6E1AB462F6B1
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-31T08:17:22">.. Build: 16.0.18222.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                      Category:dropped
                      Size (bytes):4096
                      Entropy (8bit):0.09304735440217722
                      Encrypted:false
                      SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
                      MD5:D0DE7DB24F7B0C0FE636B34E253F1562
                      SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
                      SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
                      SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:SQLite Rollback Journal
                      Category:dropped
                      Size (bytes):4616
                      Entropy (8bit):0.13784977103055013
                      Encrypted:false
                      SSDEEP:3:7FEG2l+mqiH/FllkpMRgSWbNFl/sl+ltlslN04l9Xllmqn:7+/lLRBg9bNFlEs1E39uq
                      MD5:F6A0A957B234B0279951C90C7927FAC8
                      SHA1:D6FE5A9CF186C34968F0823C747F264F262E42C4
                      SHA-256:0A98CABA18BB95285532EBA3C8FDA95BA893C566286949D8293149206817C768
                      SHA-512:DA5B383A785E796E1CD995E2AE76FFBFAC6C754651684135BCF7A0BEAC2105548FD2D984EB49E5FB01FE3C12BC3A632A90F6158BA19DF32896BE91B438BC8A1A
                      Malicious:false
                      Preview:.... .c......f.0....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):32768
                      Entropy (8bit):0.04482848510499482
                      Encrypted:false
                      SSDEEP:3:G4l2BgYpR+Kee4ll4l2BgYpR+KeGslL9//Xlvlll1lllwlvlllglbXdbllAlldla:G4l23+KQl4l23+KkL9XXPH4l942U
                      MD5:E2B96E5E368CA04E2802133E30BE1B1F
                      SHA1:6857C4CEFE377DCA262B2D307ADE3ED6587843C4
                      SHA-256:B900DBB3BF3F37DA941E74FC8A180FC685E722A6F0627F233F1EB594BB644A36
                      SHA-512:A2A6A6A6D91F19ACD1F9460E731BFFF4D5CABA25A5320D64BC2B8896FCE091C0BF1B521C6C842AD86F5E8505BC92F0482242D6DEDBD14AAE0D91C3936DA06EF6
                      Malicious:false
                      Preview:..-.....................pW....l....2.b64.......-.....................pW....l....2.b64.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:SQLite Write-Ahead Log, version 3007000
                      Category:dropped
                      Size (bytes):45352
                      Entropy (8bit):0.39612165316047554
                      Encrypted:false
                      SSDEEP:24:K1ZTUQMIzRDVuill7DBtDi4kZERDslxqt8VtbDBtDi4kZERDvC:eUQjpuill7DYMyxO8VFDYMT
                      MD5:BDFF53D2F7873820476D3D4C45DEA829
                      SHA1:70DB6F93AC2C86CC60D1E939CF774AC923B47519
                      SHA-256:EFB430F81CE4EA3868CE6713D897C4F157D0E4D32248EE6E070E8E8211DCE141
                      SHA-512:464594F6A2E1384FC8BC8FF3302100D7379A9F00AC76737E481F02E2D4E316043D1201DDD058CF5C5249A8D53D273A0731F3FB0E8F380741490B219435753F3E
                      Malicious:false
                      Preview:7....-..............2..t..O..P............2..Y..0up.SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\2I4P3J35\1647275689_4782.jpg

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 120x120, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 338x319, components 3
                      Category:dropped
                      Size (bytes):53818
                      Entropy (8bit):7.9633219383154294
                      Encrypted:false
                      SSDEEP:1536:7pHiWtg8UfKBk80HdtCFdgp7pcDCs/T5u8S1/bP:1Cyg8UCBk80HXzp7pcDCsr5JSNbP
                      MD5:62661819491153F09F449BE3E966FFF1
                      SHA1:2DAD29DA56DB5B08CBF6827C083690F8DD39BDAC
                      SHA-256:60DC23373C23F13FFA5C72D59D96E8398F0F6B301161B3A4A17CC2FC7DE243F9
                      SHA-512:B47369790EE32E5F8BCFDD80C1C2302F480E79B02A917E49C1390477C11896452A8041E9E40A6C131583FB6D5110C7975E9D6E8F020B8BF75B65382C489065E3
                      Malicious:false
                      Preview:......JFIF.....x.x....."Exif..MM.*.........................C.....................................%...#... , #&')*)..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((......?.R.."........................................F........................!..1."A.Q2aq...#.BR.$3br.......CS...%4...................................0......................!..1AQ."a..2q.#BR....3.C............?..GJ..A..KF.#.`2.7...%'$..3.x .:.z..J"....l..9cx.mUe...}..W.8.hb.X.......;k8.agF.@....1.......X.z....^.V..sT.&a#+(R$.G..V..n.9..~......C.k.....k.!..<.-...D...).....X3......w=S_H.z....T.M._tQ./`..%\.>X..P9.!6Y....P..8.a.P.... m..|.:...Q,X.g.M......J.....VevB....p......."..W.c...T..q.N.......0..lp.H...0.....q.H.=K..T..q.(..if.+......... ;'......Y.j...:.!%.E.b..;.~..0>..r9......kCZmF.M..ulY2.rF.y.....9..n|.0xz.|c.x7.s.../...WI.HU+....H......m.Wc..Pl.;.(...<.......B"...V.N.......Y.*....F.......=5=A.....eyR...Q...X)..2....)z.Zr...a..6..hU...(..%X[.d.1tl....y

                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\2I4P3J35\1647275689_4782.jpg:Zone.Identifier

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:gAWY3n:qY3n
                      MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                      SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                      SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                      SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                      Malicious:false
                      Preview:[ZoneTransfer]..ZoneId=3..

                      C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730362639797271600_C6CAFF18-FB99-43A6-9464-AC1FF779FF40.log

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:ASCII text, with very long lines (28728), with CRLF line terminators
                      Category:dropped
                      Size (bytes):20971520
                      Entropy (8bit):0.16146465528371967
                      Encrypted:false
                      SSDEEP:1536:vp7cU2dHUGTb2DSPDOE8J9GtQTH3b90BQojH5uwk2Juk17dcB:HyH9ODSiNDqt
                      MD5:E999EB10E1FED781780263CF66DBE464
                      SHA1:87086017CC279C464147F3E6FBE2CD7E0E312622
                      SHA-256:53C5FAFDA21C854EEF20CD06E13EB7EDCF55329F23F4917993A3794DD2CF6CCB
                      SHA-512:1B7D767597AD874142E33A2EF4E43AB4173D6B68D4B34817EDE6F85B9B25D644879FA3DF23D1AA11ACE1B3EBCAD0E31F07F459E5443A02135C568C741B98EFB0
                      Malicious:false
                      Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/31/2024 08:17:19.900.OUTLOOK (0x16BC).0x1130.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-10-31T08:17:19.900Z","Contract":"Office.System.Activity","Activity.CV":"GP/Kxpn7pkOUZKwf93n/QA.4.9","Activity.Duration":13,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/31/2024 08:17:19.994.OUTLOOK (0x16BC).0x1130.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-10-31T08:17:19.994Z","Contract":"Office.System.Activity","Activity.CV":"GP/Kxpn7pkOUZKwf93n/QA.4.10","Activity.Duration":70922,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

                      C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730362639798071900_C6CAFF18-FB99-43A6-9464-AC1FF779FF40.log

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):20971520
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3::
                      MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                      SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                      SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                      SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                      Malicious:false
                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241031T0417190291-5820.etl

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):94208
                      Entropy (8bit):4.466499657021546
                      Encrypted:false
                      SSDEEP:768:Jy/qxXRVQeoJ+9q+D2o4m1IO9GMilagV+GbS3CXYnyWMW9HfHmaFWCW+j:r4lO9GMHGm3CXsHn
                      MD5:7831ED444C75ACEE9D057B2042B9580C
                      SHA1:FBE019E8753118A775B6F763E1FADEC2AB36A476
                      SHA-256:17D91163DBEEF5C884930A7279FCFC6DA4DC5E12B315A3C8C80546483EE1C97F
                      SHA-512:CAB4067FC39A21803A9BACE82D90480435DD45D7B4D51D2E71CB5BD2FE3A42DCD3657F724913D175C2FF225FEFF0F053130D2FE0BB3B57DDD3C3AC04541BD16D
                      Malicious:false
                      Preview:............................................................................d...0........G.Mm+..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................................G.Mm+..........v.2._.O.U.T.L.O.O.K.:.1.6.b.c.:.7.0.3.4.e.6.d.d.e.9.3.0.4.b.c.3.a.6.6.0.7.8.b.f.b.c.3.7.5.6.c.8...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.3.1.T.0.4.1.7.1.9.0.2.9.1.-.5.8.2.0...e.t.l...........P.P.0..........Mm+..................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\~DF48FEE31D1B203067.TMP

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):163840
                      Entropy (8bit):0.4766297514601212
                      Encrypted:false
                      SSDEEP:384:W9sFrxHcMD6G8UwmJGEei1AvMgGiXHOu:WZQtYmJGED1eMgGiXHO
                      MD5:A5C399E6F7E75713041D25009A4CBFA6
                      SHA1:DC44FD460D6FA5961094D7129D18B0693C6E15C6
                      SHA-256:C3F902C2ECD1FD77FEF5F9FDB2AEF4991D89F031C3E8E46939DBC9FDB0FD6B53
                      SHA-512:DA2FB82D6892E52C25504E30880C2ACDFE6D3C7A11854A638BE28F9BEBB240DFD7B21567AE2803CAAC6DC21037F6FCB6A4AFF56CDCA84412DB2CFB7205883A03
                      Malicious:false
                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):30
                      Entropy (8bit):1.2389205950315936
                      Encrypted:false
                      SSDEEP:3:mtlt:mtl
                      MD5:C75E4689A2356068EEADF338E8F6AEF0
                      SHA1:3F9E4C997381B205D06112C8B4E8B824E06AA17F
                      SHA-256:A86C52611E62D812393238DE19266E0EF828E26B0DDE1A5266CA4D18ADD5CC1B
                      SHA-512:6B62E47751321C373053C39663A09058E3E0CE9A1C4B3D53E6A1DDD7A312A1679206225D6D92A941AAE7437EA4CB12944A1830C2533537865928A3710AF00440
                      Malicious:false
                      Preview:.....e........................

                      C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):16384
                      Entropy (8bit):0.6693340777756664
                      Encrypted:false
                      SSDEEP:12:rl3baFVKqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCx+:remnq1Py961I
                      MD5:8C55F21909BB73C2F846D680CA83A14C
                      SHA1:0CC70FA36183F530EDBF9C0E7C778F89E43B931E
                      SHA-256:3511F4D34704E6668D306D37CAF336BA5A965D01D5EF62DB2EFA722157AB310D
                      SHA-512:4E950B23C95B9F3D40340CB879095E8FFCA47EF467BF01F4FCA40156DC2166C7B33519241014E68EAC14AC9D707CE4E0D4AA3D5760DE1665E4220612FD975838
                      Malicious:true
                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:Microsoft Outlook email folder (>=2003)
                      Category:dropped
                      Size (bytes):271360
                      Entropy (8bit):1.4160091856971169
                      Encrypted:false
                      SSDEEP:768:5Qc9EVYaT5FUOva4WH9cJ2aGCMF3W8BUTIZ:/uTvaR2aF3WeNZ
                      MD5:F88E1F28791674169BB0B7B0BDA663AB
                      SHA1:2A0E6C3EB330ACC4AC39AAD1FEEB0940B54FEB9A
                      SHA-256:479C706966AAC1D6D98301CFEBBD8BF9D877B8D66E8FB65E7358D982C90155D5
                      SHA-512:D5673AFE0554A2904872033B9F7F07F4DA65B811BCFA45080FB111CAA22674FB4117A9A5D2C5C43E204F83BF1A5B7DCF8F2B08BC050B465FFF414401FBB488BB
                      Malicious:true
                      Preview:!BDN...SM......\...T]..................\................@...........@...@...................................@...........................................................................$.......D.......=.......................|..................................................................................................................................................................................................................................................................................................H...........f......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:OpenPGP Public Key
                      Category:dropped
                      Size (bytes):131072
                      Entropy (8bit):0.5342602136204673
                      Encrypted:false
                      SSDEEP:384:bmkv9qSN1LpSmpSKIkvVNA0eTAavusGmot8+zagV5:rG
                      MD5:A6A673B8EDA6F85BEA6AB7A77CE3510B
                      SHA1:66F90096B681B5CC51163FAD71A0B4DC97BE52D3
                      SHA-256:DE02F71AFDB1A8F813BDE2C3FEC0FF6C40C0F16EAAF5CD4986CAFC369523BB17
                      SHA-512:B2C04019F14413D539E2745BD9DAB4FC7D9FE1C839D172422226284153FB2E6A64572844E0794049E2E04C61F1C218CACB753B67CD6F88B4DB717C299B048731
                      Malicious:true
                      Preview:...C...I...........Y..Km+....................#.!BDN...SM......\...T]..................\................@...........@...@...................................@...........................................................................$.......D.......=.......................|..................................................................................................................................................................................................................................................................................................H...........f..Y..Km+.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:CDFV2 Microsoft Outlook Message
                      Entropy (8bit):5.488132212161359
                      TrID:
                      • Outlook Message (71009/1) 58.92%
                      • Outlook Form Template (41509/1) 34.44%
                      • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                      File name:Voglio essere il tuo segreto piu profondo il tuo confidente..msg
                      File size:179'200 bytes
                      MD5:71f26efab530b8ab51af5e22d23061b9
                      SHA1:bbc5040bf48ab5137a4ecf4b6f7ac3e528275a62
                      SHA256:e590660290830aaccc401e576581aa76e618c1b075ad8877c65408ab3c70ca1f
                      SHA512:17693cf3698bd64d05fb67bebe9cb619f30859a01f39f91c88e2e1a087e297e02d9732cc2868f24eab881b1def2bd0c96184f1a78a5eecce1ab72a446d344b6a
                      SSDEEP:3072:kMu0I13L3tzclCyg8UCBk80HXzp7pcDCsr5JSNbL1:ur1LYCb1Xzpiv8b
                      TLSH:9604B8203AFA511DF3B3AF718BE1B4AF452AFD636E15966E2151330D0732941DC62B3A
                      File Content Preview:........................>................................... ..................................................................................................................................................................................................

                      Static Mail

                      General

                      Subject:Voglio essere il tuo segreto piu profondo, il tuo confidente.
                      From:postaalina <perrone@talktalk.net>
                      To:"perfetto angela (mps-09301)" <angela.perfetto@mps.it>
                      Cc:
                      BCC:
                      Date:Thu, 31 Oct 2024 06:32:15 +0100
                      Communications:
                      • [Non ricevi spesso messaggi di posta elettronica da perrone@talktalk.net. Per informazioni sull'importanza di questo fatto, visita https://aka.ms/LearnAboutSenderIdentification.] [External]: Questa e-mail proviene da un indirizzo esterno all'organizzazione. Non fare clic su alcun collegamento o allegato a meno che tu non sia sicuro del mittente. Ciao perfetto angela (mps-09301), Mi chiamo Alina e ho 38 anni. Scrivo a te da Pavlodar, in Kazakhstan. Sono una donna solare e positiva, con un grande cuore e una voglia di vivere la vita al massimo. Ho sempre sognato di conoscere persone nuove e fare amicizia con persone di culture diverse. La tua origine italiana mi affascina, adoro l'arte, la storia e la cucina italiana. La mia vita piena di passioni: amo leggere, ascoltare musica, ballare e viaggiare. Mi piace scoprire nuovi luoghi, assaporare nuove culture e imparare cose nuove ogni giorno. Ho viaggiato in diversi paesi del mondo, ma ho sempre desiderato visitare l'Italia. Sono una persona molto sincera, leale e affidabile. Cerco un amico con cui condividere i miei pensieri, le mie esperienze e le mie passioni. Un amico che sia aperto di mente, curioso e disposto a conoscere la mia cultura e il mio modo di vivere. Vorrei conoscerti meglio, Amico mio. Raccontami qualcosa di te: quanti anni hai? Cosa ti piace fare nel tempo libero? Hai qualche hobby particolare? Dove vivi? Hai mai viaggiato all'estero? Cosa pensi della musica classica? La preferisci al rock o alla musica elettronica? Quali sono le tue passioni pi grandi nella vita? Sono molto curiosa di conoscere la tua storia e la tua personalit. Sono sicura che potremmo avere molte cose in comune. Ho molti amici in diversi paesi del mondo, ma mi piacerebbe avere un amico speciale come te. Un amico con cui parlare di tutto e di niente, condividere i momenti felici e superare le difficolt insieme. Se sei interessato a conoscermi meglio, ti prego di rispondermi a questo messaggio. Sar felice di raccontarti di pi su di me e di inviare anche molte foto mie se lo desideri. Ti aspetto con ansia! postaalina@postatu.site Un abbraccio caloroso, Alina
                      Attachments:
                      • 1647275689_4782.jpg

                      Headers

                      Key Value
                      Receivedfrom proxy-12.proxy.shared.ns.xion.oxcs.net (proxy-12.proxy.shared.ns.xion.oxcs.net [200.114.215.72])
                      0532:30 +0000
                      by PAXPR03MB7651.eurprd03.prod.outlook.com (260310a6:102:200::17) with
                      2024 0532:26 +0000
                      (260310a6:10:540::17) with Microsoft SMTP Server (version=TLS1_2,
                      Transport; Thu, 31 Oct 2024 0532:26 +0000
                      Authentication-Resultsspf=pass (sender IP is 62.24.135.131)
                      Received-SPFPass (protection.outlook.com: domain of talktalk.net designates
                      15.20.8114.16 via Frontend Transport; Thu, 31 Oct 2024 0532:26 +0000
                      id 6NnFthN3sX6KT6NnFt5vaB; Thu, 31 Oct 2024 0532:25 +0000
                      DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/simple; d=talktalk.net;
                      h=FromTo:Subject:Date;
                      X-Originating-IP[153.92.124.143]
                      for <angela.perfetto@mps.it>; Thu, 31 Oct 2024 0532:21 +0000 (UTC)
                      Message-ID<85e579d2265ac4cfeb0148e31781bbb0e67b812a@talktalk.net>
                      Frompostaalina <perrone@talktalk.net>
                      To"perfetto angela (mps-09301)" <angela.perfetto@mps.it>
                      SubjectVoglio essere il tuo segreto piu profondo, il tuo confidente.
                      DateThu, 31 Oct 2024 08:32:15 +0300
                      MIME-Version1.0
                      Content-Typemultipart/mixed; boundary="a269208bc7b79d91f25811ba1cc8e29cebabe3"
                      X-VadeSecure-StatusLEGIT
                      X-VADE-STATUSLEGIT
                      X-CMAE-EnvelopeMS4wfJBtxEy6rCoNz2A4vaL+6+u9iH6hOB6K/E8deReKv7ufWff6RZ9g1yxbBuBBXVPZPn/vY7dbnBpL8fRFeBjK/5PDmQM3xv455KEpJRsvjBzqq8/neisT
                      Return-Pathperrone@talktalk.net
                      X-MS-Exchange-Organization-ExpirationStartTime31 Oct 2024 05:32:26.2233
                      X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
                      X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
                      X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
                      X-MS-Exchange-Organization-Network-Message-Idda13e320-bb10-4d92-e550-08dcf96d6774
                      X-EOPAttributedMessage0
                      X-EOPTenantAttributedMessage402b15a5-7cb9-4d1b-85a3-49542f8bd230:0
                      X-MS-Exchange-Organization-MessageDirectionalityIncoming
                      X-MS-PublicTrafficTypeEmail
                      X-MS-TrafficTypeDiagnosticDB5PEPF00014B9B:EE_|PAXPR03MB7651:EE_|AM7PR03MB6247:EE_
                      X-MS-Exchange-Organization-AuthSourceDB5PEPF00014B9B.eurprd02.prod.outlook.com
                      X-MS-Exchange-Organization-AuthAsAnonymous
                      X-MS-Office365-Filtering-Correlation-Idda13e320-bb10-4d92-e550-08dcf96d6774
                      X-MS-Exchange-AtpMessagePropertiesSA|SL
                      X-MS-Exchange-Organization-SCL1
                      X-Microsoft-AntispamBCL:0;ARA:13230040|7093399012;
                      X-Forefront-Antispam-ReportCIP:62.24.135.131;CTRY:GB;LANG:it;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:smtp-out-3.tiscali.co.uk;PTR:smtp-out-3.tiscali.co.uk;CAT:NONE;SFTY:9.25;SFS:(13230040)(7093399012);DIR:INB;SFTY:9.25;
                      X-MS-Exchange-CrossTenant-OriginalArrivalTime31 Oct 2024 05:32:26.1139
                      X-MS-Exchange-CrossTenant-Network-Message-Idda13e320-bb10-4d92-e550-08dcf96d6774
                      X-MS-Exchange-CrossTenant-Id402b15a5-7cb9-4d1b-85a3-49542f8bd230
                      X-MS-Exchange-CrossTenant-AuthSourceDB5PEPF00014B9B.eurprd02.prod.outlook.com
                      X-MS-Exchange-CrossTenant-AuthAsAnonymous
                      X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                      X-MS-Exchange-Transport-CrossTenantHeadersStampedPAXPR03MB7651
                      X-MS-Exchange-Transport-EndToEndLatency00:00:04.6111238
                      X-MS-Exchange-Processed-By-BccFoldering15.20.8093.027
                      X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
                      X-Microsoft-Antispam-Message-Info=?us-ascii?Q?4+ZEDIAcOZaVOMUYXRyzYSBkqwk7A4kcbkRQXup6VrvoBQlGnY1q/GBQYoSD?=
                      dateThu, 31 Oct 2024 06:32:15 +0100

                      File Icon

                      Icon Hash:c4e1928eacb280a2

                      Network Behavior

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 31, 2024 09:17:31.914702892 CET53606721.1.1.1192.168.2.5

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Oct 31, 2024 09:18:31.797260046 CET1.1.1.1192.168.2.50xad1dNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                      Oct 31, 2024 09:18:31.797260046 CET1.1.1.1192.168.2.50xad1dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.22A (IP address)IN (0x0001)false
                      Oct 31, 2024 09:18:31.797260046 CET1.1.1.1192.168.2.50xad1dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
                      Oct 31, 2024 09:18:31.797260046 CET1.1.1.1192.168.2.50xad1dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.38A (IP address)IN (0x0001)false
                      Oct 31, 2024 09:18:31.797260046 CET1.1.1.1192.168.2.50xad1dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.43A (IP address)IN (0x0001)false
                      Oct 31, 2024 09:18:31.797260046 CET1.1.1.1192.168.2.50xad1dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.41A (IP address)IN (0x0001)false
                      Oct 31, 2024 09:18:31.797260046 CET1.1.1.1192.168.2.50xad1dNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.27A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:04:17:16
                      Start date:31/10/2024
                      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Voglio essere il tuo segreto piu profondo il tuo confidente..msg"
                      Imagebase:0x360000
                      File size:34'446'744 bytes
                      MD5 hash:91A5292942864110ED734005B7E005C0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:2
                      Start time:04:17:22
                      Start date:31/10/2024
                      Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5AD6BAF7-0435-4FA5-B83B-916B9126B7DB" "44F063DC-8E07-4497-AD1D-24953602D4D2" "5820" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                      Imagebase:0x7ff7ea2a0000
                      File size:710'048 bytes
                      MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      Disassembly

                      No disassembly