Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0.eml
Analysis ID:1558743
MD5:c646457ff1967c5d970bc101eda5c977
SHA1:6dea115db19b3be1269ea703153ad19e6465fcd1
SHA256:a3cdc86a279395cf7277e9ace4bf4b8a3f8815b21c8198da01d091a24fea3902
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 1060 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 3352 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FE1BC693-9336-4AD9-883F-3B9E7D245435" "53E4F8D4-94A0-436E-A5CE-0A69164A14EE" "1060" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 1060, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: phish_alert_sp2_2.0.0.0.emlString found in binary or memory: http://www.ubisense.net/__;
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.aadrm.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.aadrm.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.cortana.ai
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.diagnostics.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.microsoftstream.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.office.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.onedrive.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://api.scheduler.
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://app.powerbi.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://augloop.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://augloop.office.com/v2
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://canary.designerapp.
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cdn.entity.
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://clients.config.office.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://clients.config.office.net/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cortana.ai
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cortana.ai/api
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://cr.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://d.docs.live.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://dev.cortana.ai
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://devnull.onenote.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://directory.services.
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ecs.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://edge.skype.com/rps
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://graph.ppe.windows.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://graph.windows.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://graph.windows.net/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ic3.teams.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://invites.office.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://lifecycle.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://login.microsoftonline.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://login.microsoftonline.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://login.windows.local
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://make.powerautomate.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://management.azure.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://management.azure.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://messaging.action.office.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://messaging.office.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://mss.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ncus.contentsync.
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://officeapps.live.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://officepyservice.office.net/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://onedrive.live.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://otelrules.azureedge.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://outlook.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://outlook.office.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://outlook.office365.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://outlook.office365.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://powerlift.acompli.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://res.cdn.office.net
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://service.powerapps.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://settings.outlook.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://staging.cortana.ai
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://substrate.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://tasks.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: phish_alert_sp2_2.0.0.0.emlString found in binary or memory: https://urldefense.=
Source: ~WRS{27D8BC0E-604C-44E3-9517-E4F8ED6BD94D}.tmp.2.drString found in binary or memory: https://urldefense.com/v3/__http://www.ubisense.net/__;
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://webshell.suite.office.com
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://wus2.contentsync.
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 4623AA15-E099-466A-B9BB-DAA3246018DD.2.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/13@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241119T1303310334-1060.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FE1BC693-9336-4AD9-883F-3B9E7D245435" "53E4F8D4-94A0-436E-A5CE-0A69164A14EE" "1060" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FE1BC693-9336-4AD9-883F-3B9E7D245435" "53E4F8D4-94A0-436E-A5CE-0A69164A14EE" "1060" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1558743 Sample: phish_alert_sp2_2.0.0.0.eml Startdate: 19/11/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 50 110 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
    		high
    https://login.microsoftonline.com/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
      		high
      https://shell.suite.office.com:14434623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
        		high
        https://designerapp.azurewebsites.net4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
          		high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
            		high
            https://autodiscover-s.outlook.com/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
              		high
              https://useraudit.o365auditrealtimeingestion.manage.office.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                		high
                https://outlook.office365.com/connectors4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                  		high
                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                    		high
                    https://cdn.entity.4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                      		high
                      https://api.addins.omex.office.net/appinfo/query4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                        		high
                        https://clients.config.office.net/user/v1.0/tenantassociationkey4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                          		high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                            		high
                            https://powerlift.acompli.net4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                              		high
                              https://rpsticket.partnerservices.getmicrosoftkey.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                		high
                                https://lookup.onenote.com/lookup/geolocation/v14623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                  		high
                                  https://cortana.ai4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                    		high
                                    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                      		high
                                      https://api.powerbi.com/v1.0/myorg/imports4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                        		high
                                        https://notification.m365.svc.cloud.microsoft/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                          		high
                                          https://cloudfiles.onenote.com/upload.aspx4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                            		high
                                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                              		high
                                              https://entitlement.diagnosticssdf.office.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                		high
                                                https://api.aadrm.com/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                  		high
                                                  https://ofcrecsvcapi-int.azurewebsites.net/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                    		high
                                                    https://canary.designerapp.4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                      		high
                                                      https://ic3.teams.office.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                        		high
                                                        https://www.yammer.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                          		high
                                                          https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                            		high
                                                            https://api.microsoftstream.com/api/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                              		high
                                                              https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                		high
                                                                https://cr.office.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                  		high
                                                                  https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                    		high
                                                                    https://messagebroker.mobile.m365.svc.cloud.microsoft4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                      		high
                                                                      https://otelrules.svc.static.microsoft4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                        		high
                                                                        https://portal.office.com/account/?ref=ClientMeControl4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                          		high
                                                                          https://clients.config.office.net/c2r/v1.0/DeltaAdvisory4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                            		high
                                                                            https://edge.skype.com/registrar/prod4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                              		high
                                                                              https://graph.ppe.windows.net4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                		high
                                                                                https://res.getmicrosoftkey.com/api/redemptionevents4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                  		high
                                                                                  https://powerlift-frontdesk.acompli.net4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                    		high
                                                                                    https://tasks.office.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                      		high
                                                                                      https://officeci.azurewebsites.net/api/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                        		high
                                                                                        https://sr.outlook.office.net/ws/speech/recognize/assistant/work4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                          		high
                                                                                          https://api.scheduler.4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                            		high
                                                                                            https://my.microsoftpersonalcontent.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                              		high
                                                                                              https://store.office.cn/addinstemplate4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                		high
                                                                                                https://api.aadrm.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                  		high
                                                                                                  https://edge.skype.com/rps4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                    		high
                                                                                                    https://outlook.office.com/autosuggest/api/v1/init?cvid=4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                      		high
                                                                                                      https://globaldisco.crm.dynamics.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                        		high
                                                                                                        https://messaging.engagement.office.com/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                          		high
                                                                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                            		high
                                                                                                            https://dev0-api.acompli.net/autodetect4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                              		high
                                                                                                              https://www.odwebp.svc.ms4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                		high
                                                                                                                https://api.diagnosticssdf.office.com/v2/feedback4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                  		high
                                                                                                                  https://api.powerbi.com/v1.0/myorg/groups4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                    		high
                                                                                                                    https://web.microsoftstream.com/video/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                      		high
                                                                                                                      https://api.addins.store.officeppe.com/addinstemplate4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                        		high
                                                                                                                        https://graph.windows.net4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                          		high
                                                                                                                          https://dataservice.o365filtering.com/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                            		high
                                                                                                                            https://officesetup.getmicrosoftkey.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                              		high
                                                                                                                              https://analysis.windows.net/powerbi/api4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                		high
                                                                                                                                https://prod-global-autodetect.acompli.net/autodetect4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                  		high
                                                                                                                                  https://substrate.office.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                    		high
                                                                                                                                    https://outlook.office365.com/autodiscover/autodiscover.json4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                      		high
                                                                                                                                      https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                        		high
                                                                                                                                        https://consent.config.office.com/consentcheckin/v1.0/consents4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                          		high
                                                                                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                            		high
                                                                                                                                            https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                              		high
                                                                                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                		high
                                                                                                                                                https://notification.m365.svc.cloud.microsoft/PushNotifications.Register4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://d.docs.live.net4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://safelinks.protection.outlook.com/api/GetPolicy4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://ncus.contentsync.4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                            		high
                                                                                                                                                            http://weather.service.msn.com/data.aspx4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://apis.live.net/v5.0/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://officepyservice.office.net/service.functionality4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://templatesmetadata.office.net/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://messaging.lifecycle.office.com/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://mss.office.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://pushchannel.1drv.ms4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://management.azure.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://outlook.office365.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://wus2.contentsync.4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://incidents.diagnostics.office.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://clients.config.office.net/user/v1.0/ios4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://make.powerautomate.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://api.addins.omex.office.net/api/addins/search4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://insertmedia.bing.office.net/odc/insertmedia4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://outlook.office365.com/api/v1.0/me/Activities4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://api.office.net4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://incidents.diagnosticssdf.office.com4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://asgsmsproxyapi.azurewebsites.net/4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://clients.config.office.net/user/v1.0/android/policies4623AA15-E099-466A-B9BB-DAA3246018DD.2.drfalse
                                                                                                                                                                                                          		high

                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                          No contacted IP infos

                                                                                                                                                                                                          General Information

                                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                          Analysis ID:1558743
                                                                                                                                                                                                          Start date and time:2024-11-19 19:02:21 +01:00
                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                          Overall analysis duration:0h 4m 40s
                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                          Number of analysed new started processes analysed:6
                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                          Sample name:phish_alert_sp2_2.0.0.0.eml
                                                                                                                                                                                                          Detection:CLEAN
                                                                                                                                                                                                          Classification:clean1.winEML@3/13@0/0
                                                                                                                                                                                                          EGA Information:Failed
                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                                          • Number of executed functions: 0
                                                                                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                          • Found application associated with file extension: .eml

                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 13.89.179.13
                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): ecs.office.com, otelrules.azureedge.net, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, neu-azsc-config.officeapps.live.com, onedscolprdcus21.centralus.cloudapp.azure.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com
                                                                                                                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                          • VT rate limit hit for: phish_alert_sp2_2.0.0.0.eml

                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                          No simulations

                                                                                                                                                                                                          LLM Input / Output

                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                          IPs

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Domains

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):231348
                                                                                                                                                                                                          Entropy (8bit):4.378855408403186
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:ugYLY2gs/GesxYQqXgsBbNcAz79ysQqt2LsJ5qoQ2Rrcm0FvB2wyYn07633ETO+f:4xgDORgqmiGu2kqoQMrt0FvE/Qg2KRck
                                                                                                                                                                                                          MD5:BC850E168DF80C8C4E8709B34A707BD1
                                                                                                                                                                                                          SHA1:10AE8E5437F99913EAC7FB056E206B9E825221DB
                                                                                                                                                                                                          SHA-256:EF9F4A1413945710E9F50A28B29EDD0BDA10FA5D06A121CE2E66601D034EBA7F
                                                                                                                                                                                                          SHA-512:00F64138AD1985F01EDD5C4B70522E4496FB7C6119CCC7B6B655627C1371C6DD3F805CCBAA9310D98E2C7B891F671133225C10D38EB79666F5001EA50BFE4725
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:TH02...... ....I.:......SM01X...,.....I.:..........IPM.Activity...........h...............h............H..h.........rX....h........H...H..h\eng ...r\Ap...h8...0...`......h/u.}...........h........_`.k...hcv.}@...I.6w...h....H...8..k...0....T...............d.........2h...............k..............!h.............. hT.......x.....#h....8.........$hH.......8....."h..............'h..............1h/u.}<.........0h....4.....k../h....h......kH..h.R..p.........-h .............+h.u.}........................ ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1869
                                                                                                                                                                                                          Entropy (8bit):5.086296595926624
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:cG3/Odnzy7dyrB4nzyeiSy30Jdyrh3nzytRdy+GkSyrf1nzybIdywYASyQEdSyO:Od27Eu2BbOE92zEebJ2sE7AbHdbO
                                                                                                                                                                                                          MD5:E4675FAA142937B322CD6CFA3B213930
                                                                                                                                                                                                          SHA1:70D9AFF0C05128D5237B34CA0BE424635EAC52D4
                                                                                                                                                                                                          SHA-256:14985862B5B3F02AC424F97A6B2F541014C8E4F0B090D69DB2758229310CDEC5
                                                                                                                                                                                                          SHA-512:D24B89E38902F66CE31E0443D87D63B777D32FDC2EC40291A8FA3819B04E338BE79E5B026614C5AF58269CA043B37B8C0751D6A4D3C60984E9FA89999A266D1B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-05T06:31:08Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_26215680</Id><LAT>2024-11-19T18:03:35Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-05T06:31:08Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-05T06:31:08Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos_26215682</Id><LAT>2023-10-05T06:31:08Z</LAT><key>31169036496.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2023-10-05T06:31:08Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Apto

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4623AA15-E099-466A-B9BB-DAA3246018DD

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):180335
                                                                                                                                                                                                          Entropy (8bit):5.289233041844652
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:oi2XfRAqFbH4wglEwLe7HW8QM/o/NMOcAZl1p5ihs7EXXNEADpOoa5YdGVF8S7CC:dRe7HW8QM/o/aXSb1x
                                                                                                                                                                                                          MD5:009D7F2B072570084738BE450B4E1B21
                                                                                                                                                                                                          SHA1:E2D0FEBE9E55F0ACA1FC4EE9A09498E26FBC693B
                                                                                                                                                                                                          SHA-256:6BD7A158F3F41EE1911BEE259FCFC1FF30E2F1DEE0F4FC7EFA80C64ECADC70DB
                                                                                                                                                                                                          SHA-512:7A3B15E7F011687AB1314D568A5EBDA30B339C7E715C474A64400B091F93EF8C79B0D3FCF117D6A69693D4FA13F96189D14D74823FF2A94A269E42815584CE77
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-11-19T18:03:34">.. Build: 16.0.18307.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                          Entropy (8bit):0.04583532429010245
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:GtFTjrI2Y9FTjrI2Y2lX9X01PH4l942wU:MTjU9LTjU92ld0G3L
                                                                                                                                                                                                          MD5:47DCD01869D82D0686E651F18AB93950
                                                                                                                                                                                                          SHA1:234666EECE46D57E37E7F00765580182556A20EB
                                                                                                                                                                                                          SHA-256:BC30C8F435E22D1A99483A1AA87F1523F98C205152178014CAB39596BCE93A25
                                                                                                                                                                                                          SHA-512:FA8CB059311D18FA95D25040AB20C2635E78B8046FB3965BBBEF2C71A379618343ED9168DCD666972E2C9979E3EDA1F0D141759AA732E49550FF7CBBAD8B5E61
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:..-......................3. 7..X.v.....~..g%J..p..-......................3. 7..X.v.....~..g%J..p........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                          Size (bytes):49472
                                                                                                                                                                                                          Entropy (8bit):0.4827380583358906
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:+jQ1uUll7DYMoL+ZJzO8VFDYMzLdoBO8VFDYML:dfll4IbjVGUOjVGC
                                                                                                                                                                                                          MD5:7B752EBFF2C2BF7FDCA392346CB2D581
                                                                                                                                                                                                          SHA1:A334E976FECAB4D622C26BF855E1AEACFA21A65A
                                                                                                                                                                                                          SHA-256:A3188192EBA9E4288BB7B4E02D270AA3E13195C769806BD2B4E1A6AD91BA57C5
                                                                                                                                                                                                          SHA-512:9BC383AE6765F88BE200CFF2E692DFB8EBBEA19CD48A4F0762BD216E0D81322BFC8305AFC45F1838BDA8D12620E4025E2D9F8EF71B132ABA8362CAC04FD38E80
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:7....-...........v.....~..y(..`M.........v.....~C*af,'._SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\205C238E.dat

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:PNG image data, 91 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3052
                                                                                                                                                                                                          Entropy (8bit):7.91898993016645
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:yfqdaN/qLWgPYpMuCKepopJ5smt7d/sveoh9gtxOGM0AN67Ad/YA64ug3EgN5/su:yfqOqLWiwIFpop/BROfh9gLHorY9Vg3/
                                                                                                                                                                                                          MD5:2D097EE4821F9919C0C515A945A56C27
                                                                                                                                                                                                          SHA1:57692B8FCF6B6CBD0D5BB665BF23A8BA3868D077
                                                                                                                                                                                                          SHA-256:80CB378B1D87E54AC6873BE4D1712D24941E3518F78D87605C0085EE636EA2A6
                                                                                                                                                                                                          SHA-512:3F677BF85F8575ADA20A4C3A4A1499D59AF1A39907BBCC18E4595C02E80F84B991F90CDFBFCAC9ABB0081279D4B0AA843A76550E5647FF2E8BB304B63B32D53F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:.PNG........IHDR...[............[....sRGB.........pHYs..........+......tEXtSoftware.Microsoft Office..5q...lIDAThC.Y.pT..>.....K6....S@.Q,..j... ....$EJ.#...6h.F.....`kk......P.......A..6*(.....d......aCB6...89.....s.....JKK.......... ...e....._...../...A4x$..2...T.%.KFU.Y.d1..ijb..J....t...e.5O..dY.I4..:.].X-k!.M.7A..M..?P ..<S.K.Z...........\...B...?9..#_.N..).UhY....E6...^k..C..j{..7...g.6.U..(.vl?.{..cr..w.[..#B....]..8.#......N......p..V.A&..y....pq'..I....c....&n...s..bb...4%.1P.e..<..Uo.......d.\B.....a....B..x......^...Wm...b..t..^.|4Q.....yO.a......'....i.R..n..s...k8.MnEA...u^....._7...a..,....qIE'..CP..E'....._..^q....s@.1.}L.!....~z.;C\..Q..P3.......1/~k..:....x?O.v....Zm$05.A...l.lr~.l..1.........qe..1.T.N....c.4tq.J1c..d5.........k.!+c.f.a............c.gK....-.....Ji..&..P.|.;<X"O........Y"?.=..'N..E...._.........C........TV...N..Pt=.)...L.;U.....&d.......=./p.......=..m.......<...7...np. ..#j..[..6..t..b..-R.0@..O|hF..7.T.'..t.

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{27D8BC0E-604C-44E3-9517-E4F8ED6BD94D}.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):5524
                                                                                                                                                                                                          Entropy (8bit):3.1543702429566336
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:JnNQmccjlgV2bVxInQZage5VCj1QYbutl23cgRgggggNoyS0k:Nk8VeQgQbKUe
                                                                                                                                                                                                          MD5:7162DA9AE3D3504B8D142A117DF1AD67
                                                                                                                                                                                                          SHA1:EFDFA197784D142EF55C00ACB4FD13AD9593FD00
                                                                                                                                                                                                          SHA-256:A2863078726BA7A846731F04266732D2842287FC2FB06D05A637A5F9BEB9B9D4
                                                                                                                                                                                                          SHA-512:CA27D35E6F03D0F2DFCB9173B4D5DDD8DA4BE49FCC65FE3AD377D33C591E3FE0E2604136DF59D950B2AFD297D53AED152F513BF7C870E68CA8CFFD47AD02A2ED
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:....E.X.T.E.R.N.A.L.:...D.o. .n.o.t. .c.l.i.c.k. .l.i.n.k.s. .o.r. .o.p.e.n. .a.t.t.a.c.h.m.e.n.t.s. .i.f. .y.o.u. .d.o. .n.o.t. .r.e.c.o.g.n.i.z.e. .t.h.e. .s.e.n.d.e.r.....H.i.,.......L.a.t.e. .o.n. .t.h.e. .1.8.t.h...............................................................................................................................................................................................................................................................................................................................X...\........................................................................................................................................................................................................................................................................................................................................................................................................................................................-D..M..............

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732039411921733200_2A4DF35D-2824-456B-96D3-76B4E6BED905.log

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (28754), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):20971520
                                                                                                                                                                                                          Entropy (8bit):0.16203314620980475
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:GU/C05sHTuHpZyUCKNArLadNLULSnywfWHijByEUPQ7BkLPHn8:X5cWpZkfQCx
                                                                                                                                                                                                          MD5:5694ACC4D6A30D8C12EC603199BA1DA9
                                                                                                                                                                                                          SHA1:EEC5D0B15C263FAB9A39148CD4B2F549150BFA06
                                                                                                                                                                                                          SHA-256:51CA0F468D38C745632BA6669242D5B162ABC9EB8B7F4F87B2A9F5DA0829A5A1
                                                                                                                                                                                                          SHA-512:8AD54E86212D2D3379ECC229400B05B00EEB43E74F3E346DDDAB428A0B34CB3E714FACAA5729087390CEF6DE9DAD012F165DEEB84D32A8B73329A8B0A3F389A4
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/19/2024 18:03:32.038.OUTLOOK (0x424).0x12A8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-11-19T18:03:32.038Z","Contract":"Office.System.Activity","Activity.CV":"XfNNKiQoa0WW03a05r7ZBQ.4.9","Activity.Duration":17,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...11/19/2024 18:03:32.069.OUTLOOK (0x424).0x12A8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-11-19T18:03:32.069Z","Contract":"Office.System.Activity","Activity.CV":"XfNNKiQoa0WW03a05r7ZBQ.4.10","Activity.Duration":16560,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732039411942753800_2A4DF35D-2824-456B-96D3-76B4E6BED905.log

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):20971520
                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                          MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                                                                          SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                                                                          SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                                                                          SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241119T1303310334-1060.etl

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):110592
                                                                                                                                                                                                          Entropy (8bit):4.483847604219217
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:keabXKho+D4EZQVED923VPzEzap4WmW/XiKHEZoVYL9dV/NjlS:N4jVo923dzfdXYUwxlS
                                                                                                                                                                                                          MD5:FD600B837E62AC5DACEE0D244BB2439B
                                                                                                                                                                                                          SHA1:B5B48C771979E520CCE1B8F832D8131B771CEA05
                                                                                                                                                                                                          SHA-256:FC8D4514D0F22C572754E7932244B9336EDC1488405301610CFEF3E53CC889E6
                                                                                                                                                                                                          SHA-512:0DB164A3F205B7F2F0F41616290223369008E01894293AE51FA336E21F5CAB3E7AA628475FFE374BE3BA18E771EC05161C1ED011CA99F477EF266C5DB1FEB7AF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............................................................................f.......$....y.W.:..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1........................................................... m..H............y.W.:..........v.2._.O.U.T.L.O.O.K.:.4.2.4.:.a.b.1.b.f.6.2.4.a.b.6.f.4.2.a.9.b.f.e.0.1.d.7.8.6.d.a.7.e.8.a.2...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.1.1.9.T.1.3.0.3.3.1.0.3.3.4.-.1.0.6.0...e.t.l.........P.P.....$.....W.:..................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):30
                                                                                                                                                                                                          Entropy (8bit):1.2389205950315936
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:IWl1:I
                                                                                                                                                                                                          MD5:B963FB2E302BB11468D0304C35DA40BC
                                                                                                                                                                                                          SHA1:D990B3BB359A2E47F0409FDD0B44733A724CC7E2
                                                                                                                                                                                                          SHA-256:F5A39F96190833108F23A1BDA139867BD863685B7CB2EFEE30B40DE23B3B49E2
                                                                                                                                                                                                          SHA-512:56D1F4D95593ECD807125E4A1D047FA1E4631AC0FE136CE514344821E8F41925E14DF02DF44632D73AA619AD57656E030B982886A48586A50EE36926E61D60DE
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............................

                                                                                                                                                                                                          C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:Microsoft Outlook email folder (>=2003)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):271360
                                                                                                                                                                                                          Entropy (8bit):2.9738699345368245
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:uBEwIqMtq3Pdc/n8W+PEZk4i58cUy8WMJCeINTsbrHMTW53jEpEHP4qQ10PAwr65:eYt8v8cUQItIN7lp9hgKQp9
                                                                                                                                                                                                          MD5:D882622CD3EB1917F4D088A01954EC7F
                                                                                                                                                                                                          SHA1:3065AFA28D93FCA62AC385709817E4E4D26DB3B3
                                                                                                                                                                                                          SHA-256:C53AF146355441B530A977DE024FBBE420126B16BB763B9C8C00CFA69A1F0554
                                                                                                                                                                                                          SHA-512:B6DD0D25E12A515D7FFF93EF49B56086829E71C3B789E8A52C363D22C70D8612F0D6F041705EC8D73AEF20FAFB0C7545E23D5B4AD4316EC6EF301933E9363B3E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:!BDN.M{=SM......\........Q..............]................@...........@...@...................................@...........................................................................$.......D..........................................................................................................................................................................................................................................................................................................................................xgz0.Q+.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):131072
                                                                                                                                                                                                          Entropy (8bit):4.057976700225214
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:Ge0PAwr1+Xlpgr58MUy8BMjNCeINTW53jEpEHP4qQ10PAwrsObzwkHM:h48MUvyNtINlp9VN
                                                                                                                                                                                                          MD5:7AD90C6A10332AED0DE2B5FB4ECEDB6C
                                                                                                                                                                                                          SHA1:3E18E9556797950047D43B19839D99216A7C29E7
                                                                                                                                                                                                          SHA-256:E734445031EC903EE61AF42344BF13A305327FE5EC431CF1C09ED8D5F373874B
                                                                                                                                                                                                          SHA-512:D6512E398876C449CF6810562DAE29432F4B2F78BEC4843095CAFDD3433A9BEAD17BA2BF184FE9B179AF54292CB2CAF6A8ED48B401826A27E63876B0423EEACD
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:Z.A.0...|.......$......T.:.......D............#.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................'.+..D.........w0...}.......$......T.:.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          File type:RFC 822 mail, ASCII text, with very long lines (2201), with CRLF line terminators
                                                                                                                                                                                                          Entropy (8bit):6.047495035721616
                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                          • E-Mail message (Var. 5) (54515/1) 100.00%
                                                                                                                                                                                                          File name:phish_alert_sp2_2.0.0.0.eml
                                                                                                                                                                                                          File size:27'221 bytes
                                                                                                                                                                                                          MD5:c646457ff1967c5d970bc101eda5c977
                                                                                                                                                                                                          SHA1:6dea115db19b3be1269ea703153ad19e6465fcd1
                                                                                                                                                                                                          SHA256:a3cdc86a279395cf7277e9ace4bf4b8a3f8815b21c8198da01d091a24fea3902
                                                                                                                                                                                                          SHA512:70ae07843deb650bc979c25bc2ee0dd411f189e3231a8c758b8040e99d21a766a9ffae7e6d6bff6c81b556b3bf17a638d0b3eb63ed0d33ba78bf3223bab07c67
                                                                                                                                                                                                          SSDEEP:768:6GlQtMQeMPc9qkZiTtc7ZATH2+VCMS3Jl8LdSKjoVb:XlQtM6JMMS5leoZ
                                                                                                                                                                                                          TLSH:AEC26C11618601A6AAE253D8B423B71D33F214888773CCB57D27A2F999CF875A37738D
                                                                                                                                                                                                          File Content Preview:Received: from VI1P191MB0717.EURP191.PROD.OUTLOOK.COM.. (2603:10a6:800:135::8) by PRAP191MB2090.EURP191.PROD.OUTLOOK.COM with.. HTTPS; Tue, 19 Nov 2024 17:13:24 +0000..Received: from DU7P190CA0013.EURP190.PROD.OUTLOOK.COM.. (2603:10a6:10:550::35) by VI1P1

                                                                                                                                                                                                          Static Mail

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Subject:Casey Riva - Compromised email sent
                                                                                                                                                                                                          From:Steve Cook <steve.cook@ubisense.com>
                                                                                                                                                                                                          To:Steve Cook <steve.cook@ubisense.com>
                                                                                                                                                                                                          Cc:
                                                                                                                                                                                                          BCC:
                                                                                                                                                                                                          Date:Tue, 19 Nov 2024 17:13:08 +0000
                                                                                                                                                                                                          Communications:
                                                                                                                                                                                                          • EXTERNAL: Do not click links or open attachments if you do not recognize the sender.Hi,Late on the 18th November, Ubisense detected a cyber security incident that has resulted in a compromised file being sent out, apparently initiating from an account belonging to one of our members of staff. We immediately took action to contain the issue, and prevent any further impact on Ubisense or its customers. At this stage we have not seen any further abnormal behaviour within our information systems.We do not believe any data, other than the contacts used to send the message, were exfiltrated or disclosed. However, you should delete the compromised e-mail; do not try to open it or provide any authentication information! If you have attempted to open the document, please make sure your IT team is aware and follow their advice. We are conducting an investigation to determine the root cause of this incident and, once this has been completed, we are happy to provide further updates upon request. In the meantime, please contact me if you have any questions or concerns.Regards,Steve CookSystems Managerm: +44 (0) 1223 781009e: steve.cook@ubisense.netw: www.ubisense.com This email has been sent by and on behalf of Ubisense Limited.Ubisense Limited is a company registered in England and Wales (registered number 04489603) and its registered office is St Andrews House, St Andrews Road, Chesterton, Cambridge, CB4 1DLDisclaimer: The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorised to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. If you have received this email in error, please inform us immediately and delete all copies of it.The company has taken reasonable precautions to ensure no viruses are present in this email. However, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. P {margin-top:0;margin-bottom:0;} EXTERNAL: Do not click links or open attachments if you do not recognize the sender.Hi,Late on the 18th November, Ubisense detected a cyber security incident that has resulted in a compromised file being sent out, apparently initiating from an account belonging to one of our members of staff. We immediately took action to contain the issue, and prevent any further impact on Ubisense or its customers. At this stage we have not seen any further abnormal behaviour within our information systems.We do not believe any data, other than the contacts used to send the message, were exfiltrated or disclosed. However, you should delete the compromised e-mail; do not try to open it or provide any authentication information! If you have attempted to open the document, please make sure your IT team is aware and follow their advice. We are conducting an investigation to determine the root cause of this incident and, once this has been completed, we are happy to provide further updates upon request. In the meantime, please contact me if you have any questions or concerns.Regards,Steve CookSystems Managerm: +44 (0) 1223 781009e: steve.cook@ubisense.netw: www.ubisense.com This email has been sent by and on behalf of Ubisense Limited.Ubisense Limited is a company registered in England and Wales (registered number 04489603) and its registered office is St Andrews House, St Andrews Road, Chesterton, Cambridge, CB4 1DLDisclaimer: The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorised to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. If you have received this email in error, please inform us immediately and delete all copies of it.The company has taken reasonable precautions to ensure no viruses are present in this email. However, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. EXTERNAL: Do not click links or open attachments if you do not recognize the sender. EXTERNAL: Do not click links or open attachments if you do not recognize the sender. EXTERNAL: Do not click links or open attachments if you do not recognize the sender. Hi,Late on the 18th November, Ubisense detected a cyber security incident that has resulted in a compromised file being sent out, apparently initiating from an account belonging to one of our members of staff. We immediately took action to contain the issue, and prevent any further impact on Ubisense or its customers. At this stage we have not seen any further abnormal behaviour within our information systems.We do not believe any data, other than the contacts used to send the message, were exfiltrated or disclosed. However, you should delete the compromised e-mail; do not try to open it or provide any authentication information! If you have attempted to open the document, please make sure your IT team is aware and follow their advice. We are conducting an investigation to determine the root cause of this incident and, once this has been completed, we are happy to provide further updates upon request. In the meantime, please contact me if you have any questions or concerns.Regards,Steve CookSystems Managerm: +44 (0) 1223 781009e: steve.cook@ubisense.netw: www.ubisense.com This email has been sent by and on behalf of Ubisense Limited.Ubisense Limited is a company registered in England and Wales (registered number 04489603) and its registered office is St Andrews House, St Andrews Road, Chesterton, Cambridge, CB4 1DLDisclaimer: The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorised to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. If you have received this email in error, please inform us immediately and delete all copies of it.The company has taken reasonable precautions to ensure no viruses are present in this email. However, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. Hi, Hi, Late on the 18th November, Ubisense detected a cyber security incident that has resulted in a compromised file being sent out, apparently initiating from an account belonging to one of our members of staff. We immediately took action to contain the issue, and prevent any further impact on Ubisense or its customers. Late on the 18th November, Ubisense detected a cyber security incident that has resulted in a compromised file being sent out, apparently initiating from an account belonging to one of our members of staff. We immediately took action to contain the issue, and prevent any further impact on Ubisense or its customers. th At this stage we have not seen any further abnormal behaviour within our information systems. At this stage we have not seen any further abnormal behaviour within our information systems. We do not believe any data, other than the contacts used to send the message, were exfiltrated or disclosed. However, you should delete the compromised e-mail; do not try to open it or provide any authentication information! If you have attempted to open the document, please make sure your IT team is aware and follow their advice. We do not believe any data, other than the contacts used to send the message, were exfiltrated or disclosed. However, you should delete the compromised e-mail; do not try to open it or provide any authentication information! If you have attempted to open the document, please make sure your IT team is aware and follow their advice. We are conducting an investigation to determine the root cause of this incident and, once this has been completed, we are happy to provide further updates upon request. We are conducting an investigation to determine the root cause of this incident and, once this has been completed, we are happy to provide further updates upon request. In the meantime, please contact me if you have any questions or concerns. In the meantime, please contact me if you have any questions or concerns. Regards, Steve CookSystems Managerm: +44 (0) 1223 781009e: steve.cook@ubisense.netw: www.ubisense.com Steve Cook Systems Manager m: +44 (0) 1223 781009 1223 781009 e: steve.cook@ubisense.net steve.cook@ubisense.net steve.cook@ubisense.net steve.cook@ubisense.net mailto:steve.cook@ubisense.net%0d w: www.ubisense.com www.ubisense.com www.ubisense.com www.ubisense.com https://urldefense.com/v3/__http://www.ubisense.net/__;!!I_DbfM1H!DcihxqnHi1k3XbSP-EHBoKZVzJYowkFmbUZ81H6ftuXz_Wl_-BHbtG1U6rV9flZMkuOZaarsmVmbuR8V-d3Z-g$
                                                                                                                                                                                                          Attachments:
                                                                                                                                                                                                          • Outlook-ghmt04mr.png

                                                                                                                                                                                                          Headers

                                                                                                                                                                                                          Key Value
                                                                                                                                                                                                          Receivedfrom CWLP123MB5555.GBRP123.PROD.OUTLOOK.COM ([fe80::e2b9:cb40:3fde:ad16]) by CWLP123MB5555.GBRP123.PROD.OUTLOOK.COM ([fe80::e2b9:cb40:3fde:ad16%7]) with mapi id 15.20.8182.013; Tue, 19 Nov 2024 17:13:08 +0000
                                                                                                                                                                                                          Arc-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=oomUfbAKdBgCFemzk0C0flP/6ByqQ6W43U1HTExy0Ysdw0v90qhrnFYyueMWT16tRZ4TeXJ+u05AoksLACznNAH0zWAiZnx0uFl4AJ+MY6rvk/Bpbyb5hPyYmDP8oIaq/yOr8T4v2ylYRXB9BgL2HrYiaWoGfCZ3DGk6yU7/XPWTl09CPG5Lo1zJaBidYLhIeGo2SLXqlT4bhKp31XsW3jcAzCijzQ+IRnOUJJ+I17l3VDPR1CetYHnLwiSPdwGU1pMPk9tVl+7PDWHtWghsZ+0CpZrGJlJr5j2LG2QzUVFR/hxwPMzCmAfaBEioIkg/tRrSC47UqYZ0qbtK9gAmJQ==
                                                                                                                                                                                                          Arc-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9KggeXjp92RGmOIOfCLO2nhxiSuM4VOcnwTYQVGfqNw=; b=vXl2bsdPAEjOAFX4kXliD1HD8Sk5YMhX5wIWK0CBWw9x1dTw1dNT1PibxlGVrSb6ZXDRNH5eq0tCTH6kLU6XFSbK/LmASKNqWq8bBhSwjoenZtgTG9v1+w1bTQwrUJa9W8e3P8IeNR7HrnWBaFcRiVbUt0G8pG8THgMR4soVj5rQ4UwpDUq92o5DBN8uE2G2w0qfYh6h6GMFaDBqoIwgjW2gd7DTaXaxscwt8Pw1/rB6//EPdMlhKB8ZJSeU16zy48sFyByeWSd5bIApYCgydAek/ZMUjWxHyBTS/zL0UGAbCVs0uC3uxQPQECv819+MGqN3p0pkrXpKSPtIpBn4fw==
                                                                                                                                                                                                          Arc-Authentication-Resultsi=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ubisense.com; dmarc=pass action=none header.from=ubisense.com; dkim=pass header.d=ubisense.com; arc=none
                                                                                                                                                                                                          Authentication-Resultsspf=fail (sender IP is 67.231.151.23) smtp.mailfrom=ubisense.com; dkim=fail (body hash did not verify) header.d=Ubisense.com;dmarc=fail action=none header.from=ubisense.com;compauth=softpass reason=202
                                                                                                                                                                                                          Received-SpfFail (protection.outlook.com: domain of ubisense.com does not designate 67.231.151.23 as permitted sender) receiver=protection.outlook.com; client-ip=67.231.151.23; helo=mx0d-001a4c01.pphosted.com;
                                                                                                                                                                                                          Authentication-Results-Originalppops.net; spf=pass smtp.mailfrom=steve.cook@ubisense.com; dkim=pass header.d=ubisense.com header.s=selector1; dmarc=pass header.from=ubisense.com
                                                                                                                                                                                                          Dkim-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=Ubisense.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9KggeXjp92RGmOIOfCLO2nhxiSuM4VOcnwTYQVGfqNw=; b=pu34wG18bbKRI+GxQA/yxbkJjSv5NYGlDZkdKcpkDKo4NkxDdWvVd2hvbA9wCLilJW7muE8BddPBpn2UqoBZ7BiO6/7iMPWJpa4UIbRlwByQk2UFBU9MA+NPOySB7a1YhEJCumzYAEdHjpor1LXhAACGLGKzFu2gauU/F5LxSHI=
                                                                                                                                                                                                          FromSteve Cook <steve.cook@ubisense.com>
                                                                                                                                                                                                          ToSteve Cook <steve.cook@ubisense.com>
                                                                                                                                                                                                          SubjectCasey Riva - Compromised email sent
                                                                                                                                                                                                          Thread-TopicCasey Riva - Compromised email sent
                                                                                                                                                                                                          Thread-IndexAQHbOqWVuiuwwrHpXkKdKujqRGtU+A==
                                                                                                                                                                                                          DateTue, 19 Nov 2024 17:13:08 +0000
                                                                                                                                                                                                          Message-Id <CWLP123MB5555E16171FFC1ADDEFFEB91F2202@CWLP123MB5555.GBRP123.PROD.OUTLOOK.COM>
                                                                                                                                                                                                          Accept-Languageen-GB, en-US
                                                                                                                                                                                                          Content-Languageen-GB
                                                                                                                                                                                                          X-Ms-Has-Attachyes
                                                                                                                                                                                                          X-Ms-Traffictypediagnostic CWLP123MB5555:EE_|CWLP123MB6377:EE_|DU6PEPF0000B622:EE_|VI1P191MB0717:EE_|PRAP191MB2090:EE_
                                                                                                                                                                                                          X-Ms-Office365-Filtering-Correlation-Id 97e5c7ae-e5a1-4c83-5796-08dd08bd78d4
                                                                                                                                                                                                          X-Ld-Processedfec9c4e9-d7de-4363-a4e3-039b6f2606d2,ExtAddr
                                                                                                                                                                                                          X-Ms-Exchange-AtpmessagepropertiesSA|SL
                                                                                                                                                                                                          X-Ms-Exchange-Senderadcheck1
                                                                                                                                                                                                          X-Ms-Exchange-Antispam-Relay0
                                                                                                                                                                                                          X-Microsoft-Antispam-Untrusted BCL:0;ARA:13230040|1800799024|7416014|376014|366016|8096899003|38070700018;
                                                                                                                                                                                                          X-Microsoft-Antispam-Message-Info-Original Ew6WP/DPw/1vafplPlbDEe9i1on1CyhCoDQfawq9hgMdtO9pQ9kZzhVh0+m+4iIc23jUw3EHXi5T+U56V22CWjpl0XHzT3cc7Cy08TjCAV2CCZ9U96RnnUIINPWF9U1hdamEbWZSg/5oqdVOo3FVDVGt7wJRT+H/uz5HqnDEVeZpIp8GzrGiAoesKPjrJ62LOZ9w0MXO7NdKMUl6UpWsllKgs2rbk3iJ5B/cJIJlQTw+h2eo9wl0gYSTpHnBxMK5j7t+3+lIWnypr3U3bn+ShXuc4VxItOFzI0wnbjT/7lmh/LAsNq7aK0B4tyDKS+LPmUKoe2jDDhd8xbPe4w146E3NP11uFWVsYsYCS4Ymx4H23k75AAvZgytgaE2Kg73bS7gm5bR6NDlDJvgrj5GMbN39tPvGfEPmjnWKeU7Td1B01RL0mhW4i2Syn86tpAcfqKBfS/sry6SO+gRC+ioB4j5eREEIew3Zf1A93NIJnmHcBgPlu0hce/U+EwSaURG4ml6r/uos4vMxxYHZzAiDED+2wgZY1lUFQ//V43zi31K4veqHQ+AKYjsuA+ELRWSn7bmU5Liv/qBKKZe6fyAIGttaC6FgSq2ctZlqIFTOZpdttXI0gNzQakY1FfVsiaoSvWgR1KFYro7Z965wFvyu/EKiWGDWhHef+Hzf3iqowczIh+YYrv6gYr1PtTjcjTMJ4fhQwIaTC1GmMtWXC6lTmlF9pWBJxSCZW5B4shngkAg+mVDvVyMTVmDpOZxjblxNjDJ62kDmzDyotYsB/bX22cRndF0OorkbPwCrVsHYDFmp/2jkyQIIpMD/dMvmdV4+GpuzCgRBoyVJEIJyH8pWcdHOIL2kkz4Vl3m97N91Re0tc0Vvx9fnXkWM0QHAYBqpbpundvk0D85dBjZwyZXnQ+VvoeC51uEc6vn40VlQhbylmEtIh9F8wQ7jyqBmCY0WYjVAE7YbHYKelAb9LOlEvAleExbng6n5K7Gb6XfapuqgFdKpUOS+h3ENbWm0YgeZ8ZSwIPqHCLqHN1MwrCP/NN7jAZVW39HKImggITbR4t4TedRlT0FGRi0WhQCRkx6Ly//65r2UR4D5W9TuhDlMWCilBCROX4ZRaF2Nt/ADA1HwLWXqwqsSr+pCxB4P5fZkzTsGtnpK4Dhmhp2PCX7RPJd+eQs4410deJ1c5MxExxBJSXFALaeqI5SXQmZonXDSVHthdanTAAgXzOeof4Ox21iR9qaaW6rqFRqPeRn2a77VOeGK2kroNbeCTAq8QBlopQj+/hp0zECmdSDkVQOrrGkN1OtBQ7NlvN/D9Y6UXMdDyrnsbH/QvS4tA8Fzs5dl
                                                                                                                                                                                                          X-Forefront-Antispam-Report-Untrusted CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CWLP123MB5555.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(7416014)(376014)(366016)(8096899003)(38070700018);DIR:OUT;SFP:1102;
                                                                                                                                                                                                          Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17320381021350.24551197311655715"
                                                                                                                                                                                                          X-Ms-Exchange-Transport-CrosstenantheadersstampedVI1P191MB0717
                                                                                                                                                                                                          X-Clx-Response 1TFkXGx0bEQpMehcaEQpZRBdtXG9CTlxZAXxnTBEKWFgXaHxZQl9rYk1MSG0 RCnhOF2NjHW9uTGITchpHEQp5TBdpZB9JcFttWhpTUhEKQ0gXGRgRCkNZFwcZGBsRCkNJFxoEGh oaEQpZTRdnZnIRCllJFxpxGhAadwYbHxtxGRsQGncGGBoGGhEKWV4XbGx5EQpJRhdcRUZLWENZd UJFWV5PThEKSUcXeE9NEQpDThdEY11Za3VccExZWBN1SX9YfExuSXoZWB9JfWZhYF9QchEKWFwX HwQaBBkdEwUbGgQbGhoEGxkeBBkZEBseGh8aEQpeWRdPSUdcZhEKTVwXGBMaEQpMWhdpa2lCQWk RCkxGF29va2Nra2sRCkJPF2l5e3JHS0ZHQxh7EQpDWhceGgQbGh0EGxgbBBsaHBEKQl4XGxEKRF gXGBEKQlwXGxEKXk4XGxEKQksXY2Mdb25MYhNyGkcRCkJJF2NjHW9uTGITchpHEQpCRRdoeFJjY QUBeGwZXREKQk4XY2Mdb25MYhNyGkcRCkJMF2h8WUJfa2JNTEhtEQpCbBdlW3JrfG0eYlwTTxEK QkAXYxpZR2ZfZmsaelgRCk1eFxsRClpYFxgRCnlDF2dbS39femZgU1tMEQpZSxcTGh0cEQpwZxd vYBp8S30fZnJYbRAZGhEKcGgXZUJteGBIbQVtG34QGxIRCnBoF2hYTHtLY2cde0AfEBkaEQpwaB d6UnlAAW0fZx95TRAZGhEKcGgXaEBsc1sTYhtyax0QGRoRCnBoF2IbYktjT1BNE21HEBwaEQpwa BdjeX5ZexNYGHp5fBAaEQpwaBdjfWVaQVJ6E29fWxAaEQpwaBd6Q1MYXVJ9YlpSQRAeEhEKcH0X b3J6aEhrH2UbYWMQHhIRCnBjF2ZuY2doEh58G0Z5EB4SEQpwfxdnYH0TZHsfeR5haxAeEhEKcF8 XZH98GUVGfWNEeG0QHhIRCnBsF25uXmhiZUd8Hh9MEBsaEhEKbX4XGxEKWE0XSxEg
                                                                                                                                                                                                          X-Clx-ShadesMLX
                                                                                                                                                                                                          X-Proofpoint-Orig-GuidnIwsA_vZfsr9_cUrVfDcP3r5cWLKJuzX
                                                                                                                                                                                                          X-Proofpoint-GuidnIwsA_vZfsr9_cUrVfDcP3r5cWLKJuzX
                                                                                                                                                                                                          MIME-Version1.0
                                                                                                                                                                                                          X-ProofpointheaderYes
                                                                                                                                                                                                          X-Proofpoint-Virus-Versionvendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-11-19_08,2024-11-18_01,2024-09-30_01
                                                                                                                                                                                                          X-Proofpoint-Spam-Detailsrule=inbound_notspam policy=inbound score=0 clxscore=171 impostorscore=0 adultscore=0 lowpriorityscore=0 spamscore=0 mlxscore=0 bulkscore=0 unknownsenderscore=20 malwarescore=0 suspectscore=0 phishscore=0 priorityscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=2 engine=8.21.0-2409260000 definitions=main-2411190127 domainage_hfrom=9076
                                                                                                                                                                                                          Return-Pathsteve.cook@ubisense.com
                                                                                                                                                                                                          X-Ms-Exchange-Organization-Expirationstarttime19 Nov 2024 17:13:22.5501 (UTC)
                                                                                                                                                                                                          X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
                                                                                                                                                                                                          X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
                                                                                                                                                                                                          X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
                                                                                                                                                                                                          X-Ms-Exchange-Organization-Network-Message-Id 97e5c7ae-e5a1-4c83-5796-08dd08bd78d4
                                                                                                                                                                                                          X-Eopattributedmessage0
                                                                                                                                                                                                          X-Eoptenantattributedmessage75c696ec-5bfb-4892-9a0c-9187a9061cd6:0
                                                                                                                                                                                                          X-Ms-Exchange-Organization-MessagedirectionalityIncoming
                                                                                                                                                                                                          X-Ms-Exchange-Transport-Crosstenantheadersstripped DU6PEPF0000B622.eurprd02.prod.outlook.com
                                                                                                                                                                                                          X-Ms-PublictraffictypeEmail
                                                                                                                                                                                                          X-Ms-Exchange-Organization-Authsource DU6PEPF0000B622.eurprd02.prod.outlook.com
                                                                                                                                                                                                          X-Ms-Exchange-Organization-AuthasAnonymous
                                                                                                                                                                                                          X-Ms-Office365-Filtering-Correlation-Id-Prvs 33378c07-c0a6-479b-70a6-08dd08bd7033
                                                                                                                                                                                                          X-Ms-Exchange-Organization-Scl-1
                                                                                                                                                                                                          X-Microsoft-Antispam BCL:0;ARA:13230040|4073199012|5073199012|35042699022|82310400026|8096899003|4076899003;
                                                                                                                                                                                                          X-Forefront-Antispam-Report CIP:67.231.151.23;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mx0d-001a4c01.pphosted.com;PTR:mx0d-001a4c01.pphosted.com;CAT:NONE;SFS:(13230040)(4073199012)(5073199012)(35042699022)(82310400026)(8096899003)(4076899003);DIR:INB;
                                                                                                                                                                                                          X-Ms-Exchange-Crosstenant-Originalarrivaltime19 Nov 2024 17:13:22.1751 (UTC)
                                                                                                                                                                                                          X-Ms-Exchange-Crosstenant-Network-Message-Id 97e5c7ae-e5a1-4c83-5796-08dd08bd78d4
                                                                                                                                                                                                          X-Ms-Exchange-Crosstenant-Id75c696ec-5bfb-4892-9a0c-9187a9061cd6
                                                                                                                                                                                                          X-Ms-Exchange-Crosstenant-Authsource DU6PEPF0000B622.eurprd02.prod.outlook.com
                                                                                                                                                                                                          X-Ms-Exchange-Crosstenant-AuthasAnonymous
                                                                                                                                                                                                          X-Ms-Exchange-Crosstenant-FromentityheaderInternet
                                                                                                                                                                                                          X-Ms-Exchange-Transport-Endtoendlatency00:00:02.7734482
                                                                                                                                                                                                          X-Ms-Exchange-Processed-By-Bccfoldering15.20.8158.023
                                                                                                                                                                                                          X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
                                                                                                                                                                                                          X-Microsoft-Antispam-Message-Info qMpLUU8j/J92Kvg5h9Cerwt+DcZfbcDbMcDzOnJWQqJd/JfH8cAX1UxKBiTYVO+RQ2Da6N3KPehqogpUrh14/VXYKfhbzwtoC0wx7d2HVdNFyGCdQs4OD5a37PRdDT6ts29oomDKXwITAU2n/630o1Dy8v4QtMWbevboSf+EzQYcQ+y+nrEZ0bLrtaJt1rGvAYyXhJxv7tGGtHiCzHPeFY7Ha5zbgfCHLSwZx1TBnuSwXMeN8v5kRCSrkwQYZz+tf70zvisce7hgdxyf1CvDAkky80ciyqJ/gAswwwZpc5/VQZYqYGomcbhQ9mt62G0GzS/6JE6d1sFWCpUKxR8jzaMi9pMMNGzMthA/vL6VuuJUimSByRrjzkAU5cn2ETKQ1VF6zfCv8LIkAB1/QEBsqO2Ln38Bz2kMNojAuV8Ivor/m3rSYtJXxb1O9VhhGfKZ1frT8nRv84Y/70yduImpbtI6/58JNyfJs5rMDRog/RlkhLjnUwoHcZJAXABijv8/CqCDaFVqIkEe/gBwdo9fH4c3Duzj+Hc2nNG7wfFaysSMSFAi0UqSePlCVIqV4u/PMYZoXaIIqAWwDGgfJaD+DFOCMbQrUVKSXDC4GoyOpaM8ZZCcjpmQDxRzIBsljWndWo9rOUEy3a7G412sBo5GHI/FWEWLOFjbPgZA3fU5RJgS9RSNVgoL1Qfbjctnelu9RIlNuxmYCMbA0csz3Qidw9BOorgJeX7d6wg6so0pp8ezG+XmMtzbDmaP356AV4ClaS+KIxPDOEcippxyVvhG7Gvcy9Yylsgwo11NeWZc79ASCA19yekg7p69j+kPZ0A9AR6fV7DJoZ/2DcUc/B0DZRahemzC/kdfGa5p95Y5BYj6RU3MJm5RIXT9DCxEmD3rN2piyOIG1/8YvuOpPzeqlmdJiXk1yVSNGo9sDINxFyiaym0ADLddJMGrzul5pH+rM1zyDojaMjhyHprhec/ZRb0ic5Naj4nZRRSyS8UelQkBMegRXefYbsyTvPOeqlH/2ckkynOYb4tvfZH6Md76IdFrjJki9mhTEmusgxTZP/zEdLvvbtu2yMjq0EeV+Kou4rHJUSmOLODpki/gtLcOpzS4N4aQGfgt3cmqYhmBebr+Vzr+ecan2MlqPEjNyhfL7t6TGuPSFKMPg7bekwiaQ3u11UsGB+VIpqcjecSHDVeOOTYFkXWtU9F/l8wdOY3FIibhGmYvQ2FnmOyuyU8dmBqfRTlUCWyzvuNR+KSPAD8+oKPGc66uBNXBT3BIAga4atTKNBaE+6Qv/bi2Gr060i/z0bvK7tLNsMyyh/gSIjyHPTDHzMt73ohIDwm4J3atlXqT59f5v2FqHtTFihl/NNiL7OVF3dS6xgJLQJUA+SrAXSEFUfc88vviXbgVuHeiOLN0WFlq1ccISdKob9aR5aLXjIY4lOPP96DEXobS58mhRU3wb3NuLoAVN8mwr+biCcGSieAHlVc/qoh1nKiX0knk6d36+Nkl4tg0RqFXSOduDGVrk4K867WBeyhnVjBa4k4sJUwmE50BTE80JZ/X9MszOI2iig+gU3XjsLz2/PkdCNW50Hpoo3dfQpnw5KgI3eobRc5i5hTbkk1eyBTeAVDecYjC3DwCn/CiBlo2pF36dDlAbWHhcMSGCeyQKs8lqM7WGlrxK/W7O3yZTY9FhvrNZr27jkGtmZufvpKw2kONnYa36IxIAfCoayHd3SwjNgzMigX1ENpY4lSvf1yNpKxTjchVLOxe95NMT4YGv1QTIO/Pw1eRVMwxe2HT3auW84I2pJ0pyfBK+SKqbVNlktL7HtgIVo2xaq+118AxTKwENhWucJy5iu61/wEHEg9JfKsrV5eopbYA57bFjj1L6bVQPEmJVIRyUcf/YyaBdALFHgMRJ8riIJF520OAnSafAZpk6kaFqnpDDg4ep+ITs74GGzmpGCevonvOjgBoIzWHOsEz7ug1odP29xBDGB6wmbdYK2NdeMOIxbuhsBsyGE/HA/a2BthbYarXRSimkiKXA6PvjmqvTEW9sFVHQu+0VBWXZvrDY1wHAVjfY99cg7hCrgrub7hJyRJhnD9jrDEYUKsbBSnHvPL+2Ami89jKLNBMb1oRDiNPaP5m2IHQNY+6ObWBnyve9+WMKQfQOvXy4xUCUARLR/HsHt0BmOpIBN415tIFSFIfyZcK8Js8aA==
                                                                                                                                                                                                          Content-Transfer-Encoding7bit

                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                          Icon Hash:46070c0a8e0c67d6

                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                          No network behavior found

                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                          Start time:13:03:26
                                                                                                                                                                                                          Start date:19/11/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
                                                                                                                                                                                                          Imagebase:0xcd0000
                                                                                                                                                                                                          File size:34'446'744 bytes
                                                                                                                                                                                                          MD5 hash:91A5292942864110ED734005B7E005C0
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                          Start time:13:03:34
                                                                                                                                                                                                          Start date:19/11/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FE1BC693-9336-4AD9-883F-3B9E7D245435" "53E4F8D4-94A0-436E-A5CE-0A69164A14EE" "1060" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                                                                                                                                                                                          Imagebase:0x7ff7b7090000
                                                                                                                                                                                                          File size:710'048 bytes
                                                                                                                                                                                                          MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                          No disassembly