Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Request Id ##23281## has been assigned to you-1.msg

Overview

General Information

Sample name:Request Id ##23281## has been assigned to you-1.msg
Analysis ID:1500940
MD5:180c16d72b265fbcd994b210a3ffe0d7
SHA1:14c9c8a72697ea0377b3c6594264310d60a9fcef
SHA256:4567730e08be6e18ac27796390297a92bf42b4a55126b65a7ed15c54d9a5d1a4
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 6892 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Request Id ##23281## has been assigned to you-1.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 992 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "12BC8DB6-A47A-4EEB-978A-9F9C6344715B" "1976F8E3-9A39-49FB-8C0C-697EB4F64899" "6892" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6892, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.aadrm.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.aadrm.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.cortana.ai
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.microsoftstream.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.office.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.onedrive.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://api.scheduler.
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://app.powerbi.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://augloop.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://augloop.office.com/v2
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: Request Id ##23281## has been assigned to you-1.msg, ~WRS{6B1ADA87-6B50-41D1-8551-DD90EE3D03EE}.tmp.0.drString found in binary or memory: https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faustralianfoodandfibre.servicedesk
Source: Request Id ##23281## has been assigned to you-1.msgString found in binary or memory: https://australianfoodandfi__substg1.0_8022001F
Source: Request Id ##23281## has been assigned to you-1.msgString found in binary or memory: https://australianfoodandfibre.servicedeskplus.net.au/app/itdesk/ui/requests/867000003351579/details
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://canary.designerapp.
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cdn.entity.
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://clients.config.office.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://clients.config.office.net/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://config.edge.skype.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cortana.ai
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cortana.ai/api
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://cr.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://d.docs.live.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://dev.cortana.ai
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://devnull.onenote.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://directory.services.
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ecs.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://edge.skype.com/rps
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://graph.windows.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://graph.windows.net/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ic3.teams.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://invites.office.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://lifecycle.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://login.microsoftonline.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://login.windows.local
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://make.powerautomate.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://management.azure.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://management.azure.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://messaging.action.office.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://messaging.office.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ncus.contentsync.
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://officeapps.live.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://officepyservice.office.net/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://onedrive.live.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://outlook.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://outlook.office.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://outlook.office365.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://outlook.office365.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://powerlift.acompli.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://res.cdn.office.net
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://service.powerapps.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://settings.outlook.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://staging.cortana.ai
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://substrate.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://tasks.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://webshell.suite.office.com
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://wus2.contentsync.
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: B403102E-5556-458F-A8BD-AB60B26353CB.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winMSG@3/18@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240829T0042270169-6892.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Request Id ##23281## has been assigned to you-1.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "12BC8DB6-A47A-4EEB-978A-9F9C6344715B" "1976F8E3-9A39-49FB-8C0C-697EB4F64899" "6892" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "12BC8DB6-A47A-4EEB-978A-9F9C6344715B" "1976F8E3-9A39-49FB-8C0C-697EB4F64899" "6892" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1500940 Sample: Request Id ##23281## has be... Startdate: 29/08/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 69 144 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://otelrules.svc.static.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://api.microsoftstream.com/api/0%Avira URL Cloudsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://outlook.office.com/autosuggest/api/v1/init?cvid=0%Avira URL Cloudsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://shell.suite.office.com:1443B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://designerapp.azurewebsites.netB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectorsB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/queryB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkeyB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.netB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v1B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://cortana.aiB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/importsB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://cloudfiles.onenote.com/upload.aspxB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://canary.designerapp.B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://cr.office.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • Avira URL Cloud: safe
unknown
https://messagebroker.mobile.m365.svc.cloud.microsoftB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://otelrules.svc.static.microsoftB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://portal.office.com/account/?ref=ClientMeControlB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://edge.skype.com/registrar/prodB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://graph.ppe.windows.netB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://res.getmicrosoftkey.com/api/redemptioneventsB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift-frontdesk.acompli.netB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://tasks.office.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://officeci.azurewebsites.net/api/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/workB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://api.scheduler.B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://my.microsoftpersonalcontent.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://store.office.cn/addinstemplateB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://edge.skype.com/rpsB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://globaldisco.crm.dynamics.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://messaging.engagement.office.com/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://dev0-api.acompli.net/autodetectB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://www.odwebp.svc.msB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://api.diagnosticssdf.office.com/v2/feedbackB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/groupsB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://web.microsoftstream.com/video/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.store.officeppe.com/addinstemplateB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://graph.windows.netB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.o365filtering.com/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://officesetup.getmicrosoftkey.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://analysis.windows.net/powerbi/apiB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://prod-global-autodetect.acompli.net/autodetectB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://substrate.office.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://outlook.office365.com/autodiscover/autodiscover.jsonB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://consent.config.office.com/consentcheckin/v1.0/consentsB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://d.docs.live.netB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://safelinks.protection.outlook.com/api/GetPolicyB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://ncus.contentsync.B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
http://weather.service.msn.com/data.aspxB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://apis.live.net/v5.0/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://officepyservice.office.net/service.functionalityB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://templatesmetadata.office.net/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://messaging.lifecycle.office.com/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://pushchannel.1drv.msB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://management.azure.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://wus2.contentsync.B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://incidents.diagnostics.office.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/iosB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://make.powerautomate.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/api/addins/searchB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/odc/insertmediaB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/api/v1.0/me/ActivitiesB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://api.office.netB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://incidents.diagnosticssdf.office.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://asgsmsproxyapi.azurewebsites.net/B403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/android/policiesB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://entitlement.diagnostics.office.comB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown
https://substrate.office.com/search/api/v2/initB403102E-5556-458F-A8BD-AB60B26353CB.0.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1500940
Start date and time:2024-08-29 06:41:24 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 35s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Request Id ##23281## has been assigned to you-1.msg
Detection:CLEAN
Classification:clean1.winMSG@3/18@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .msg

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.68.129, 2.19.126.151, 2.19.126.160, 52.182.143.210
  • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, onedscolprdcus10.centralus.cloudapp.azure.com, a1864.dscd.akamai.net, ecs.office.com, client.wns.windows.com, prod.configsvc1.live.com.akadns.net, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

LLM Input / Output

InputOutput
URL: Email Model: jbxai
{
"brand":["Australian Food & Fibre"],
"contains_trigger_text":false,
"prominent_button_name":"unknown",
"text_input_field_labels":["unknown"],
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.381733941245953
Encrypted:false
SSDEEP:3072:Gjgu4kg7miGu2zqoQmrt0FvuM2tAgbRdcZlvqk:Gmbmi2mJp6+lv9
MD5:877642D68649D771CEC0E2254FD000F6
SHA1:28C100CF7BC15C61AAA9151667B31494AF93B6E2
SHA-256:A527C8C72CA7C1384BE933CCBDEC4FF630E7BE6EF7A1767A6CB6644EFBB0A7A1
SHA-512:B329B76ECA431DD5709B434F4B6CB24CF6DAAABCF874DAF824BA24613CCED54215714604C905B1F5D33B40880D0F688222F0886AB9877EA3A417E403956518C8
Malicious:false
Reputation:low
Preview:TH02...... .`...........SM01X...,...................IPM.Activity...........h...............h............H..h..>...........h............H..h\eng ...r\Ap...h@...0.....>....h ..............h........_`.k...h..@...I.6w...h....H...8..k...0....T...............d.........2h...............k.yg...........!h.............. hY........>...#h....8.........$h........8....."h..............'h..{...........1h ...<.........0h....4.....k../h....h......kH..hH...p.....>...-h .......D.>...+h.........>................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (65536), with no line terminators
Category:dropped
Size (bytes):322260
Entropy (8bit):4.000299760592446
Encrypted:false
SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
MD5:CC90D669144261B198DEAD45AA266572
SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:false
Reputation:high, very likely benign file
Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with no line terminators
Category:modified
Size (bytes):10
Entropy (8bit):2.846439344671015
Encrypted:false
SSDEEP:3:LBc5QQQ:taq
MD5:96AA3F75E1099EDDFF26B3DCD65333C0
SHA1:D0CBB9B94A549CB1B58CE0ED5D428FBAC7FE39DA
SHA-256:FC8AEB9D6CAF382D2AC5240E67622C0077E87FD01C01B45143B66E4D8B4C56CE
SHA-512:C976BFE77C4F56191EBBADD797C8FA5B64A2901C38CB5A6E31EFA3D530AC0520CC9132A6AC45C562C9AA2212A62DB357140EAFAB4EB8DC86B70FCF667166A98B
Malicious:false
Reputation:low
Preview:1724906555

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B403102E-5556-458F-A8BD-AB60B26353CB

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):176365
Entropy (8bit):5.287467893303764
Encrypted:false
SSDEEP:1536:oi2XfRAqcbH41gwEiLe7HW8bM/o/NMYcAZl1p5ihs7EXXmEAD2Odad:94e7HW8bM/o/wXDku
MD5:A540A6F17E508271B211834344D2206C
SHA1:648459BD7DCA0985EE2B8BF584B9038DB6006257
SHA-256:049231177057A5A048DE48021626A0BE461765596A752AB23C98B7E20AAB7DDE
SHA-512:3D3C67669D1E301B817190F85D3F8FE863BB6A2608141844FDD0B20A11E583C1EF6BFED79105F506D167240261BFC97A5408AB817A33EA10B615ABCDDD0D4AD7
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-08-29T04:42:30">.. Build: 16.0.18014.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:dropped
Size (bytes):4096
Entropy (8bit):0.09304735440217722
Encrypted:false
SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
MD5:D0DE7DB24F7B0C0FE636B34E253F1562
SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
Malicious:false
Reputation:moderate, very likely benign file
Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Rollback Journal
Category:dropped
Size (bytes):4616
Entropy (8bit):0.13654087935378095
Encrypted:false
SSDEEP:3:7FEG2l+tMl/FllkpMRgSWbNFl/sl+ltlslN04l9Xll/:7+/lXg9bNFlEs1E39H
MD5:3DA8B0DB97B7026427131EF4008F47EF
SHA1:4EE51411DD3A1F9B997FFA9673691E89FD55B8A9
SHA-256:034E83BED54F97E0091AADED63C35991A703F3E0787F3C29D954F010472413D9
SHA-512:7568198B4E5735D7626337D71228A6270CB81D2BE60663F6210105109F90DBE60A95481E488ED12A9ADB1B331B1E63F31331145D7138C3ECEA08C2814B77303E
Malicious:false
Reputation:low
Preview:.... .c.....p ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.0446603401158491
Encrypted:false
SSDEEP:3:G4l2VXY4Jnl2VXY4JXllWlL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2VN5l2VNZqL9XXPH4l942U
MD5:39BADBD647B4F1FEDBEC0FD01CDD5B92
SHA1:F96DEE87AFC4F5313B6CB282D7173A1AB01BC379
SHA-256:4F5C85B06E539C610FAB847D9AE0EB6CD9A3CD261ADB226875CC89BE5B7CE384
SHA-512:BE276180329C712769912F4D7C6865D748E6E8EC1FE11514349B512DD17E2D95D76E3A4EECE320F4DFDC233EF25D458FC77783C7AA5DED812503A457093572DC
Malicious:false
Reputation:low
Preview:..-.....................c.........O. ^..|h..Q.7...-.....................c.........O. ^..|h..Q.7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Write-Ahead Log, version 3007000
Category:dropped
Size (bytes):45352
Entropy (8bit):0.39445025792258326
Encrypted:false
SSDEEP:24:KVlbwRQMIzRDWtill7DBtDi4kZERDRxqt8VtbDBtDi4kZERDg9:Yl0RQjkill7DYMtxO8VFDYM
MD5:E9930DDB3EC0DB1D6BA20AEFF2BD8DAE
SHA1:9FA031E9E6CFE52AE909D844939C2DEA28390ED6
SHA-256:A5FD215775A4298C1E3FF028A0A185875074C9177396D392C42F34CD1E106DCF
SHA-512:70FD66D6D7D959009DE0D71499101543D2F20DF42E39CF6820E5B7010FCEF6FE073B37AF85159F5C966AE70FDE58317549C0BABBE9BEAF9D7380BCE403B065A1
Malicious:false
Reputation:low
Preview:7....-............O. ^...6................O. ^..<.T.r...SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\311B99F3.dat

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:PNG image data, 300 x 48, 8-bit/color RGBA, non-interlaced
Category:dropped
Size (bytes):7528
Entropy (8bit):7.9529849490538815
Encrypted:false
SSDEEP:192:q9kA1dDjmUwhnP1ZmK5qlIGFdUbD5byhU:Sh1dD6Uw91B5fsS52hU
MD5:29ABB48ACDE7298254263DF675697E27
SHA1:CF84C32E10EEF4632D1052BE57D06EFA76909D96
SHA-256:A7BA72C9BC92328E6995B7E8FF3FF686E5665940F3ED156F294CAB350E3CED8F
SHA-512:D6B42F669DA6333FBDEFE8E58F0F88822F00ECD597E63FA15F9643A6A96FF364216232940546BA6190BAF19CE5F20D697628B240660984215571651B0859BBD7
Malicious:false
Preview:.PNG........IHDR...,...0.......G!....sRGB...,.....pHYs...%...%.IR$.....IDATx..]YP.../....#..?.....?.....8..(..Z........K..(.".i.....)5...:...........Wt...U.U...3......2Ofe~y.....OQ.R...%...b.|Y)L...../..k~...w..&5....(..Ei.-.....k..".&..'....o..v.|^.|..<...:.6........t.T.Y..-.Sf...x0.Q..~..W;.dZ..L..~.E.?...X........O....{Z.,.i..2~b.......n.^..y)..4.<..4I..'u.'d...........X.T.I..M......M.....ErNn.....%.q.T....."0b.Q.X$u.~.....}J..w.`.JrJS......[.v_..u~;..y.}..|1-W........m;.D...........-.........X$.....X.....|.M..)9~.......a......s.[..e+....c.e.S.r....s...s.....A......t..8!.>:C...A.u.[ uv.}$..pG..2i..........!i..Q...1q...q..b.........J.....2..t........"U.A<I..')..........Z..=..;O.3..z.b...... .4|-....P........O..*.....{...C..C.'76..u..a.&...a.\M-......m..y...'..*... .1[._.:....._V.......O.K.KK..V..1+.2...(`.N.tq.c..<...-"+....D......o..vTT...=.J.p^.....;>K.....{~......~.d;`....x..:a.j....~.............1.%..t..-.c.m8.".Q.7!

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6B1ADA87-6B50-41D1-8551-DD90EE3D03EE}.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):5664
Entropy (8bit):3.193173134337864
Encrypted:false
SSDEEP:96:i2YiobRoKT+PDfmmmmmhU1C444nBlsti9kub7dJ1km:X6bLToDRKivhkm
MD5:73636D34B5D89C57DBE892B0B18AB842
SHA1:E53FB323880A369E23C7DE526B87F73AE3C28E01
SHA-256:F396A8585A424DF3F6F3AD58601532950C496BB0B6BA7E608336CC977E0CCEC4
SHA-512:FE83A00FC241BA21E1E55B1FAC570E52809FEA8B5E543BE919827C3E2A703A5292BF78842B8B43E85405DA2A44134A5EBD773D7ADF951CD2128BD670331E409F
Malicious:false
Preview:....R.e.q.u.e.s.t. .d.e.t.a.i.l.s. .a.r.e. .:.....R.e.q.u.e.s.t.e.d. .b.y. .:. .A.F.F. .H.R...;.C.r.e.a.t.e.d. .b.y. .:. .S.y.s.t.e.m...D.u.e. .b.y. .d.a.t.e. .:. .A.u.g. .3.0.,. .2.0.2.4. .0.9.:.2.0. .A.M...C.a.t.e.g.o.r.y. .:. ...T.i.t.l.e. .:. .A.C.T.I.O.N. .R.E.Q.U.I.R.E.D. .-. .T.i.m.o.t.h.y. .O.a.k.l.e.y. .-. .O.f.f.b.o.a.r.d.i.n.g. .N.o.t.i.f.i.c.a.t.i.o.n...D.e.s.c.r.i.p.t.i.o.n. .:. .............................................................................................................................................N...P...^.......................p...r.............................................................................................................................................................................................................................................................................d....-D..M................$.a$.........$..$.If....:V.......t.....6......4........4........a....*...$..$.If........!v..h.#v....:V.......t.....6......5.......4

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1724906547519003400_0303B149-EE8E-4AF5-B82E-E10FCDCA2E02.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (28729), with CRLF line terminators
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.16138674148167045
Encrypted:false
SSDEEP:1536:s3nNmf0LRKdTBlT8xa0OkVFMJhp6tEhwxjHRqTckjS3ogdoBgG:NfCRuvT8lxM2l
MD5:06D97C18FACCBE69B3E24673D4F77F98
SHA1:F2636208A50519B04A9002D77D076CB48E4515F4
SHA-256:9BA92712992FFA109252A6F7D5968B6AFF251FF19088DB4067923384A4E423D8
SHA-512:170DABFED774AE5FE01EB07FA7DE6C41AE71842049F8235E37D38B4CA79E20FC934EB9FB5AA7DCD541640BD841130AF5CE0571FA214B9E7AD065F8E6DA1D5B3E
Malicious:false
Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..08/29/2024 04:42:27.575.OUTLOOK (0x1AEC).0x1B28.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-08-29T04:42:27.575Z","Contract":"Office.System.Activity","Activity.CV":"SbEDA47u9Uq4LuEPzcouAg.4.9","Activity.Duration":13,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...08/29/2024 04:42:27.591.OUTLOOK (0x1AEC).0x1B28.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-08-29T04:42:27.591Z","Contract":"Office.System.Activity","Activity.CV":"SbEDA47u9Uq4LuEPzcouAg.4.10","Activity.Duration":12307,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1724906547520115500_0303B149-EE8E-4AF5-B82E-E10FCDCA2E02.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240829T0042270169-6892.etl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):94208
Entropy (8bit):4.461850631342111
Encrypted:false
SSDEEP:768:9ERhbfSmVjSES9VLEzdbbOM43WCrIy9rz1lkXSZf6ti1+a:WVjSESk43WCr99rz1lkX+hYa
MD5:77E8AE3FF2BA49C6127B23D46704BB7D
SHA1:201CA2EE96A7D3B38560A603E0CB07959EDCB545
SHA-256:BD547179D5F640E1A4E49056D2037D2E6C41C8ADA9D82ABF377649B5984DA3BD
SHA-512:B40CD5435B712C52E97D40AB98750DC0C96A55CF722B91327D0AD1DF667D459BC8B3DEE52C4A50937FF660AA7BAF2C5C07CCDF11B91C103769285B3DC5FD6A92
Malicious:false
Preview:............................................................................h...(.......oKd.....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................KcI...........oKd.............v.2._.O.U.T.L.O.O.K.:.1.a.e.c.:.a.6.3.c.3.7.c.3.b.0.3.e.4.8.2.2.b.e.8.d.8.a.b.4.d.1.d.9.a.a.8.e...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.8.2.9.T.0.0.4.2.2.7.0.1.6.9.-.6.8.9.2...e.t.l.......P.P.(.......oKd.....................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC8C0BCB7E5D46307.TMP

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):163840
Entropy (8bit):0.47468708198064946
Encrypted:false
SSDEEP:192:t0IixCyodfssOSGXCl35AAsl73JgSsQM6wkv5irz0uNgiRHWMOuqAbAFAqwNh/:/wodB9M05f8hsQMdSirsiRHCuqMu
MD5:4DCE4AD136A8D280669C8522ADB86DD1
SHA1:F6A065DA4404B2FE263887AD075639EBF1029CBC
SHA-256:D9F6BA2942A5136C4E949CC1345C6C985220D549FF8D73353AEB261C8C8E4F44
SHA-512:6499CA8D4B4BA85445D29C47F89E08A7E3699F6329E7FF0F63C78533E0A0E4359D28DFEDD298718A91317DAE0693DB71C7AEE46A07212592BDDC23D00A5F1750
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:3:J//t:9/
MD5:CA3525000D67A2E1E75D6F96967A50AE
SHA1:1DFC2866FE3E66AC85D2ED11F760D2B5C4B1300E
SHA-256:0D5A6AF6913FAB895830C72B7A77F7B3237967B83953D068F80311C57A96FBEC
SHA-512:0F83BA84FF28924725696F3E17D19D228A84EFAFEA5ED6873E0CEA05DB35BB276EA09DFFAAE36326982210DEAD1107DA65E7E0D2DBAD9AC212C0A57F90E1546F
Malicious:false
Preview:.....e........................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):16384
Entropy (8bit):0.6707714898712407
Encrypted:false
SSDEEP:12:rl3baFzsqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCsH:rymnq1Py961sH
MD5:EFA093C6960473C980F3CF25B0275617
SHA1:A059D02DABAE468C32D0449B665631C220E53D19
SHA-256:69A9B69379F8E7D4AF0F224E439401016AC2703E0CDDF2AB7F773671D8DA6A88
SHA-512:E69840B8DE7538CB64D88347F2B8DC41B57B80DAF95E775D48C6F7E4FC2F0F49CE24E644C9481CD50C063252921831F4E4DC8542F93BC718F33E64B8F8E49629
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):1.5155922487446365
Encrypted:false
SSDEEP:768:yQcrFsNM+WnD90d6UGd8gjQt1ZUGNkkBfb8BUTIZ:gCfWnqGdg1rRfbeNZ
MD5:8F4637F680627027D996199A7EA410E6
SHA1:710AC9CB3BD25178281C4FEE3D931861EDDE1956
SHA-256:93CF0D39AFEF5B40905354FF7A3954ED0643389BCB81277BEB048EB3AD9EBEAC
SHA-512:9F31BB505AE680EB60B01F79B476ADC4F1EBDE38D7E81AB6F3D3E4104CED99EC4FA5733DF99C223D802AF6188FCB77DB14E24303228CDDB452DA0116F9650984
Malicious:false
Preview:!BDN>..GSM......\....\..................\................@...........@...@...................................@...........................................................................$.......D......@C..........................................................................................................................................................................................................................................................................................................................H.......ca...@.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):131072
Entropy (8bit):0.8286195484425861
Encrypted:false
SSDEEP:192:g0DwjTIoOJMgDe2MrzTJsHw7LByc6cM9VgTFQbPN+dQz:sjTIXJ5DeTqHw4cH4y6NO
MD5:0DB16239C2491D505D3664CE934C2B9D
SHA1:5E72A105513879AF1B1CED11567CFCAC58109F7F
SHA-256:96D29E66C3AC061FAA7E049FAD7CE239106B1C86EB16440E87882A8AC6965801
SHA-512:56BE1105AA2DF94DB0EBB045C490BD22BA85AAAC741E1DE4A2B1A2A47D8C531F8E9044053393D810617D9DBCFC57BDEB0391F4092B122265A6FF5AFA24C2439C
Malicious:false
Preview:....C...G............(........................#.!BDN>..GSM......\....\..................\................@...........@...@...................................@...........................................................................$.......D......@C..........................................................................................................................................................................................................................................................................................................................H.......ca...@..(...........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:CDFV2 Microsoft Outlook Message
Entropy (8bit):4.269432921886302
TrID:
  • Outlook Message (71009/1) 58.92%
  • Outlook Form Template (41509/1) 34.44%
  • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:Request Id ##23281## has been assigned to you-1.msg
File size:109'056 bytes
MD5:180c16d72b265fbcd994b210a3ffe0d7
SHA1:14c9c8a72697ea0377b3c6594264310d60a9fcef
SHA256:4567730e08be6e18ac27796390297a92bf42b4a55126b65a7ed15c54d9a5d1a4
SHA512:62090b807051970320d6c39526994ec5e68e3a2ec1fb56a9668ac72738dd575614d9ca27c195bcd55443ea1ddccbf2753787e237796e05b00a205eeef6e06f61
SSDEEP:1536:1igy8rEtN2GT0nfawC3F/A4hJ1XXNG6KmgtPo1Sa:1igZEtN2GT0nf903J9XNG6KRtw
TLSH:BBB3F11536FA1219F277AF3189F69097C977BC92AD148A5F2181330E0972A41ED72F3B
File Content Preview:........................>......................................................................................................................................................................................................................................

Static Mail

General

Subject:Request Id ##23281## has been assigned to you
From:AFF IT Service Desk <itservicedesk@australianfoodandfibre.com.au>
To:<helpdesk@sn.com.au>
Cc:
BCC:
Date:Wed, 28 Aug 2024 01:26:48 +0200
Communications:
  • Request details are : Requested by : AFF HR ;Created by : System Due by date : Aug 30, 2024 09:20 AM Category : Title : ACTION REQUIRED - Timothy Oakley - Offboarding Notification Description : ACTION REQUIRED - Timothy Oakley - Offboarding Notification Hi IT, Please be advised that Timothy Oakley will be leaving AFF on 19/09/2024. Please process Timothy as a leaver and refer to the Offboarding Information form shared with you for further details. Kind regards, AFF HR ________________________________ ELMO Software - All Rights Reserved CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. Click for details : https://australianfoodandfibre.servicedeskplus.net.au/app/itdesk/ui/requests/867000003351579/details <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faustralianfoodandfibre.servicedeskplus.net.au%2Fapp%2Fitdesk%2Fui%2Frequests%2F867000003351579%2Fdetails&data=05%7C02%7Chelpdesk%40sn.com.au%7C4edca516a9c844c427d508dcc6efbd16%7Cc9ba5ff150fb443aaa51f8a979e6e6d1%7C0%7C0%7C638603980216910815%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Y4Zlly8WBOoRTqQsZCkCb%2B2cZ%2FP8C7WuxX%2FutmcXFk4%3D&reserved=0>
Attachments:
  • 1724801208928006_157812638.png

Headers

Key Value
Receivedfrom SYBPR01MB5487.ausprd01.prod.outlook.com
via Mailbox Transport; Wed, 28 Aug 2024 0927:02 +1000
15.2.792.15; Wed, 28 Aug 2024 0927:01 +1000
via Frontend Transport; Wed, 28 Aug 2024 0927:01 +1000
ARC-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
ARC-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
h=FromDate:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
ARC-Authentication-Resultsi=1; mx.microsoft.com 1; spf=pass
by SY4PR01MB8120.ausprd01.prod.outlook.com (260310c6:10:1cc::5) with
2024 2326:55 +0000
(260310c6:10:e3::8)
Transport; Tue, 27 Aug 2024 2326:55 +0000
Authentication-Resultsspf=pass (sender IP is 52.101.152.116)
Received-SPFPass (protection.outlook.com: domain of
15.20.7918.13 via Frontend Transport; Tue, 27 Aug 2024 2326:55 +0000
DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed;
Authentication-Results-Originaldkim=none (message not signed)
SY0PR01MB8891.ausprd01.prod.outlook.com (260310c6:10:21f::19) with Microsoft
15.20.7897.12; Tue, 27 Aug 2024 2326:50 +0000
([fe80:ba2b:8203:9f93:5570%5]) with mapi id 15.20.7918.017; Tue, 27 Aug 2024
2326:50 +0000
DateWed, 28 Aug 2024 09:26:48 +1000
FromAFF IT Service Desk <itservicedesk@australianfoodandfibre.com.au>
To<helpdesk@sn.com.au>
Message-Id<1919629d27d.5928f55c71483.1537268644417527609@australianfoodandfibre.com.au>
In-Reply-To<010001919622cfd4-10cbc29b-e630-4c25-af99-e8aa1a72c7cb-000000@email.amazonses.com>
References<010001919622cfd4-10cbc29b-e630-4c25-af99-e8aa1a72c7cb-000000@email.amazonses.com>
SubjectRequest Id ##23281## has been assigned to you
Content-Typemultipart/alternative;
X-Auto-Response-SuppressAll
X-SDP-APPID7001242980
User-AgentZoho Mail
X-MailerZoho Mail
X-Zoho-Virus-Status1
X-ClientProxiedBySYBPR01CA0033.ausprd01.prod.outlook.com
Return-Pathitservicedesk@australianfoodandfibre.com.au
MIME-Version1.0
X-MS-TrafficTypeDiagnosticSYBPR01MB5487:EE_|SY0PR01MB8891:EE_|ML1PEPF00011308:EE_|SY4PR01MB8120:EE_
X-MS-Office365-Filtering-Correlation-Id4edca516-a9c8-44c4-27d5-08dcc6efbd16
X-LD-Processedc9ba5ff1-50fb-443a-aa51-f8a979e6e6d1,ExtAddr
X-MS-Exchange-SenderADCheck1
X-MS-Exchange-AntiSpam-Relay0
X-Microsoft-Antispam-UntrustedBCL:0;ARA:13230040|1800799024|376014|366016;
X-Microsoft-Antispam-Message-Info-Original=?us-ascii?Q?vE9Fx2VjS5PF/lGJM7l99JgUWhmcNMexpLtqOMtxuv9Ix9d0eNUnZBvO6UUZ?=
X-Forefront-Antispam-Report-UntrustedCIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SYBPR01MB5487.ausprd01.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount1
X-MS-Exchange-AntiSpam-MessageData-Original-0=?utf-8?B?TnIwalQ4aGl0N0F5OG9oNHVWMWd3SXEvM201WnFqNjhUVThLNnc0TjhRbVdW?=
X-MS-Exchange-Transport-CrossTenantHeadersStampedSY4PR01MB8120
X-EOPAttributedMessage0
X-EOPTenantAttributedMessagec9ba5ff1-50fb-443a-aa51-f8a979e6e6d1:0
X-MS-Exchange-Transport-CrossTenantHeadersStrippedML1PEPF00011308.ausprd01.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromotedML1PEPF00011308.ausprd01.prod.outlook.com
X-MS-PublicTrafficTypeEmail
X-MS-Office365-Filtering-Correlation-Id-Prvs8a19591c-1531-4bfd-b541-08dcc6efb986
X-MS-Exchange-AtpMessagePropertiesSA|SL
X-Microsoft-AntispamBCL:0;ARA:13230040|35042699022;
X-Microsoft-Antispam-Message-Info=?utf-8?B?K2N5MUlGakdxTjFITTZFS2dYQ2NJWG54akpwdGk2Q25hRmd6K2NmQlJUVjcr?=
X-Forefront-Antispam-ReportCIP:52.101.152.116;CTRY:AU;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MEUPR01CU001.outbound.protection.outlook.com;PTR:mail-australiasoutheastazon11020116.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(35042699022);DIR:INB;
X-MS-Exchange-ATPSafeLinks-Stat0
X-MS-Exchange-ATPSafeLinks-BitVector0:0x0|0x0|0x0|0x0|0x0|0x0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime27 Aug 2024 23:26:55.0971
X-MS-Exchange-CrossTenant-Network-Message-Id4edca516-a9c8-44c4-27d5-08dcc6efbd16
X-MS-Exchange-CrossTenant-Idc9ba5ff1-50fb-443a-aa51-f8a979e6e6d1
X-MS-Exchange-CrossTenant-AuthSourceML1PEPF00011308.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAsAnonymous
X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
X-OrganizationHeadersPreservedSY4PR01MB8120.ausprd01.prod.outlook.com
X-MS-Exchange-Organization-Network-Message-Id93cdca75-51a1-4c08-dcd0-08dcc6efc117
X-MS-Exchange-Organization-SCL1
X-CrossPremisesHeadersPromotedSN-MAIL.systemnet.local
X-CrossPremisesHeadersFilteredSN-MAIL.systemnet.local
X-MS-Exchange-Organization-AuthSourceML1PEPF00011308.ausprd01.prod.outlook.com
X-MS-Exchange-Organization-AuthAsAnonymous
X-OriginatorOrgsystemnetau.onmicrosoft.com
X-MS-Exchange-Transport-EndToEndLatency00:00:00.2940848
X-MS-Exchange-Processed-By-BccFoldering15.02.0792.015
dateWed, 28 Aug 2024 01:26:48 +0200

File Icon

Icon Hash:c4e1928eacb280a2

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:00:42:24
Start date:29/08/2024
Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Request Id ##23281## has been assigned to you-1.msg"
Imagebase:0xab0000
File size:34'446'744 bytes
MD5 hash:91A5292942864110ED734005B7E005C0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:3
Start time:00:42:30
Start date:29/08/2024
Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "12BC8DB6-A47A-4EEB-978A-9F9C6344715B" "1976F8E3-9A39-49FB-8C0C-697EB4F64899" "6892" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:0x7ff78c0c0000
File size:710'048 bytes
MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly