Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Potential Phish.msg

Overview

General Information

Sample name:Potential Phish.msg
Analysis ID:1520603
MD5:99f39a8d4dd42f201afdd2e04db8cbb1
SHA1:7670a68e05f9b0ab5b7f3777c641eea5adb275c0
SHA256:c6813fd4b2aa76220ca019634a1401a1147f47b3243ea4c6861a76a432804f60
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 5544 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Potential Phish.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 560 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5F19DBE1-A52C-4D03-ACEC-422148DC4050" "CFEE4B90-F8DB-44A5-A42E-3BE4AD11C3DE" "5544" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5544, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.aadrm.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.aadrm.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.cortana.ai
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.office.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.onedrive.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://api.scheduler.
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://app.powerbi.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://augloop.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://canary.designerapp.
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cdn.entity.
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://clients.config.office.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://clients.config.office.net/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cortana.ai
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cortana.ai/api
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://cr.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://d.docs.live.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://dev.cortana.ai
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://devnull.onenote.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://directory.services.
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ecs.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://graph.windows.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://graph.windows.net/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://invites.office.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://lifecycle.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://login.windows.local
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://make.powerautomate.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://management.azure.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://management.azure.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://messaging.office.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://mss.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ncus.contentsync.
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://officeapps.live.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://onedrive.live.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://outlook.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://outlook.office.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://outlook.office365.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://outlook.office365.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://res.cdn.office.net
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://service.powerapps.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://settings.outlook.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://staging.cortana.ai
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://substrate.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://tasks.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://wus2.contentsync.
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winMSG@3/15@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240927T1043380140-5544.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Potential Phish.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5F19DBE1-A52C-4D03-ACEC-422148DC4050" "CFEE4B90-F8DB-44A5-A42E-3BE4AD11C3DE" "5544" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5F19DBE1-A52C-4D03-ACEC-422148DC4050" "CFEE4B90-F8DB-44A5-A42E-3BE4AD11C3DE" "5544" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1520603 Sample: Potential Phish.msg Startdate: 27/09/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 63 122 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe
https://entitlement.diagnostics.office.com0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:14435FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://designerapp.azurewebsites.net5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectors5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/query5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.net5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v15FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://cortana.ai5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/imports5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://cloudfiles.onenote.com/upload.aspx5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://canary.designerapp.5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
    		unknown
    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cr.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
    • URL Reputation: safe
    		unknown
    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
      		unknown
      https://messagebroker.mobile.m365.svc.cloud.microsoft5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
      • URL Reputation: safe
      		unknown
      https://otelrules.svc.static.microsoft5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        		unknown
        https://portal.office.com/account/?ref=ClientMeControl5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        • URL Reputation: safe
        		unknown
        https://clients.config.office.net/c2r/v1.0/DeltaAdvisory5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        • URL Reputation: safe
        		unknown
        https://edge.skype.com/registrar/prod5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        • URL Reputation: safe
        		unknown
        https://graph.ppe.windows.net5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        • URL Reputation: safe
        		unknown
        https://res.getmicrosoftkey.com/api/redemptionevents5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        • URL Reputation: safe
        		unknown
        https://powerlift-frontdesk.acompli.net5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        • URL Reputation: safe
        		unknown
        https://tasks.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        • URL Reputation: safe
        		unknown
        https://officeci.azurewebsites.net/api/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        • URL Reputation: safe
        		unknown
        https://sr.outlook.office.net/ws/speech/recognize/assistant/work5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        • URL Reputation: safe
        		unknown
        https://api.scheduler.5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
        • URL Reputation: safe
        		unknown
        https://my.microsoftpersonalcontent.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
          		unknown
          https://store.office.cn/addinstemplate5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
          • URL Reputation: safe
          		unknown
          https://api.aadrm.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
          • URL Reputation: safe
          		unknown
          https://edge.skype.com/rps5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
          • URL Reputation: safe
          		unknown
          https://outlook.office.com/autosuggest/api/v1/init?cvid=5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            		unknown
            https://globaldisco.crm.dynamics.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://messaging.engagement.office.com/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://dev0-api.acompli.net/autodetect5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://www.odwebp.svc.ms5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.diagnosticssdf.office.com/v2/feedback5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.powerbi.com/v1.0/myorg/groups5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://web.microsoftstream.com/video/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.addins.store.officeppe.com/addinstemplate5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://graph.windows.net5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://dataservice.o365filtering.com/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://officesetup.getmicrosoftkey.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://analysis.windows.net/powerbi/api5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://prod-global-autodetect.acompli.net/autodetect5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://substrate.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://outlook.office365.com/autodiscover/autodiscover.json5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://consent.config.office.com/consentcheckin/v1.0/consents5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
            • URL Reputation: safe
            		unknown
            https://d.docs.live.net5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
              		unknown
              https://safelinks.protection.outlook.com/api/GetPolicy5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
              • URL Reputation: safe
              		unknown
              https://ncus.contentsync.5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
              • URL Reputation: safe
              		unknown
              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                		unknown
                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                http://weather.service.msn.com/data.aspx5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://apis.live.net/v5.0/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://officepyservice.office.net/service.functionality5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://templatesmetadata.office.net/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://messaging.lifecycle.office.com/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://mss.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://pushchannel.1drv.ms5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://management.azure.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://outlook.office365.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://wus2.contentsync.5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://incidents.diagnostics.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://clients.config.office.net/user/v1.0/ios5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://make.powerautomate.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.addins.omex.office.net/api/addins/search5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://insertmedia.bing.office.net/odc/insertmedia5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://outlook.office365.com/api/v1.0/me/Activities5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.office.net5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://incidents.diagnosticssdf.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://asgsmsproxyapi.azurewebsites.net/5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://clients.config.office.net/user/v1.0/android/policies5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://entitlement.diagnostics.office.com5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown
                https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25.0.drfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1520603
                Start date and time:2024-09-27 16:42:35 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 34s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:6
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Potential Phish.msg
                Detection:CLEAN
                Classification:clean1.winMSG@3/15@0/0
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .msg

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.109.89.19, 52.113.194.132, 2.19.126.160, 2.19.126.151, 104.208.16.89
                • Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, weu-azsc-000.roaming.officeapps.live.com, weu-azsc-config.officeapps.live.com, prod.roaming1.live.com.akadns.net, eur.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, login.live.com, s-0005.s-msedge.net, onedscolprdcus11.centralus.cloudapp.azure.com, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, a1864.dscd.akamai.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • VT rate limit hit for: Potential Phish.msg

                Simulations

                Behavior and APIs

                No simulations

                LLM Input / Output

                InputOutput
                URL: Email Model: jbxai
                {
"brand":[],
"contains_trigger_text":false,
"trigger_text":"",
"prominent_buttonname":"unknown",
"text_input_field_labels":"unknown",
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):231348
                Entropy (8bit):4.387330086564472
                Encrypted:false
                SSDEEP:3072:mBgOuaggmiGu2DqoQFrt0Fvg7E10vjEU9T:mK6mi2WHE1CjEUF
                MD5:674579153ED285C0A37E08A8F547E62B
                SHA1:C43C471FE995F61520DD48056E48438CD75D9724
                SHA-256:A0ACA803D2F11EC3B0012596FF00CFD1AE3B650BBFC78AAB942D4D8998E20E39
                SHA-512:1640FEFF36F9053E824B694BCAF3C72F1576DBE67DBBC3FAC5C54BF97CFB13E63B039411ABB214C42ACC31D50CB398797CB56FBE6A3499E3B2A1154CA9D855DE
                Malicious:false
                Reputation:low
                Preview:TH02...... ..@..........SM01X...,....Y..............IPM.Activity...........h...............h............H..h.........N....h.........4..H..h\jon ...ppDa...h....0... ......h[..{...........h........_`.j...h...{@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. h%.Z&....8.....#h....8.........$h.4......8....."h.Y......8[....'h.._...........1h[..{<.........0h....4.....j../h....h......jH..h.d..p........-h .......d.....+h...{........................ ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5FC0D1FB-F527-47CB-88B1-CA6E2D3DDE25

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):177088
                Entropy (8bit):5.286761693300283
                Encrypted:false
                SSDEEP:1536:Ti2XfRAqcbH41gwEwLe7HW8bM/o/NM5cAZl1p5ihs7EXXCEAD2OdaLI:GCe7HW8bM/o/9XPkiI
                MD5:CC73BB2CBAAC52389D7AEDACE70EBCE5
                SHA1:D6B4D92F2EED81EE9353CC1AB34E8CAE95CED1F0
                SHA-256:6A51EB0C73613A09AB7BEA0D009E1013A668C708D3673635810CCA85D265F6A5
                SHA-512:EADBA0CB1FB2C37AE8D73E2B8895843F828F1086557004857977C50EE796647158C68CBA22A0EC4EFF7970D8609F791CAE7D82095D0EC308D8DE0AE21462140C
                Malicious:false
                Reputation:low
                Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-09-27T14:43:39">.. Build: 16.0.18112.40129-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                Category:dropped
                Size (bytes):4096
                Entropy (8bit):0.09304735440217722
                Encrypted:false
                SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
                MD5:D0DE7DB24F7B0C0FE636B34E253F1562
                SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
                SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
                SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:SQLite Rollback Journal
                Category:dropped
                Size (bytes):4616
                Entropy (8bit):0.13725295831344364
                Encrypted:false
                SSDEEP:3:7FEG2l+yDl+lH/FllkpMRgSWbNFl/sl+ltlslN04l9Xllmn:7+/lNDl+lBg9bNFlEs1E39+n
                MD5:E0565134C9BB7F772A6FE62BEDBDB314
                SHA1:25C3895E552440A3D01D018DD42F0B434E871100
                SHA-256:D63FC4737C8148965D90F51EAB0B62E69C172BF36F9864965BDFFFEF08DAA080
                SHA-512:DDDFBD06F582422A87486767EC5205E67765F22CF4B53F13201E30CEF6F6416A9AA88976416F6E73529B8A14A1BEA302AD1C525ED04F4386A15E24D7D069F3A3
                Malicious:false
                Reputation:low
                Preview:.... .c......Z......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):0.043549911564997504
                Encrypted:false
                SSDEEP:3:G4l2Q4JGFExYFoGYAl2Q4JGFExYFo8XWlL9//Xlvlll1lllwlvlllglbXdbllAlU:G4l2FJduXl2FJduKL9XXPH4l942U
                MD5:B92B5926D00AC00A667A2046909CC10E
                SHA1:0AFE68DD46EEFFCFF8735374679B8087225BCCA2
                SHA-256:78D41A93C8F25919666F3022A69143FF7B2A381A4E2660A3A27E4E99322F9C6B
                SHA-512:489E747A7DF5C7B6D253FEBC8A1FD451A3B6AC617C68408B2116571C21F2736184BF27CD57A5834FB053D26B37D69E8DDBFB4651C2BE3DE596D64F49A2972A32
                Malicious:false
                Reputation:low
                Preview:..-.........................n..=k.a.\e.....5Fo...-.........................n..=k.a.\e.....5Fo.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:SQLite Write-Ahead Log, version 3007000
                Category:modified
                Size (bytes):45352
                Entropy (8bit):0.3935454189880343
                Encrypted:false
                SSDEEP:24:K9iEQMIzRDXtzTill7DBtDi4kZERDqWTxqt8VtbDBtDi4kZERDf:hEQjjVTill7DYMGWTxO8VFDYMj
                MD5:A0775127AABCE85BF71BCFF27E5ABA5D
                SHA1:BADF26B773A63D49B9CD90C038AA0B3F2F9B1EDC
                SHA-256:C48D6122246E97546477508636E8F7DE2AB1FC04CA72599C2CA0DF6930594783
                SHA-512:9DB52763AE88FCE8E21ED6EE25927254A03D6BE0DA152A96733FA6545EA0C75927E7BAF0AEEC3789E40CBE46CB8CA3160CBA199DE822EE9ED24FAD770FA750BC
                Malicious:false
                Reputation:low
                Preview:7....-..........=k.a.\e.6vnP...........=k.a.\e.$...zi..SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9790A0D7-02F6-4104-B83B-8FE0CF281534}.tmp

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):1536
                Entropy (8bit):0.9766243566564912
                Encrypted:false
                SSDEEP:12:LZjs10zP+o4zYrfj3JoqQblTh+5thHzO5:uyQzsj32qQZIjlO5
                MD5:9507056DA1B3619DD469FB27746C5328
                SHA1:8F35992DB5E39638CB63A1DD48CE8B6A1C8CD741
                SHA-256:D75FB26EBA9123BD850D094FB3FB21615F3385AC582672ECC70AF841DC2EFEE1
                SHA-512:F9FABF156A69905A0B1747C74E062EFC2B704C69E22812F6BDDB84C50DB102345F25BA172D200DD0599FA84623F84FCFDB4D2E1D90BB035F7B48A5B5C84BE856
                Malicious:false
                Reputation:low
                Preview:....T.H.I.N.K. .F.I.R.S.T.!. .T.h.i.s. .e.-.m.a.i.l. .i.s. .f.r.o.m. .a.n. .e.x.t.e.r.n.a.l. .s.e.n.d.e.r... .P.l.e.a.s.e. .u.s.e. .c.a.u.t.i.o.n. .w.i.t.h. .a.t.t.a.c.h.m.e.n.t.s. .a.n.d. .l.i.n.k.s... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727448218431619000_F4AE0CA4-B49A-4BDA-88E4-4F9B28433DBC.log

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:ASCII text, with very long lines (28744), with CRLF line terminators
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.16124089946403145
                Encrypted:false
                SSDEEP:1536:y18WOW0XcLT1G7djGbhAHRWSpXPLgJ1nja8jmEJhN3a78YBO:XpXWU7dK+H4V
                MD5:8399B9A1DCD2C18F6A565F5E010D8705
                SHA1:E228C93A714ACDF75E08598B70B073323F862DA9
                SHA-256:9889625E1A1C6125B800A424E7A13E42C9FF0D1011031B85E14ECA71EF617BBD
                SHA-512:43F6D353CF448E76A5E805EDCD9F50BCF37997B09C9D07FE557A1A6A3D4BC89C25DCF36B47A71B4CA851A739B9BABCC7F2074968B872A3592AFEBD7C88C02B83
                Malicious:false
                Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..09/27/2024 14:43:38.469.OUTLOOK (0x15A8).0xE9C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-09-27T14:43:38.469Z","Contract":"Office.System.Activity","Activity.CV":"pAyu9Jq02kuI5E+bKEM9vA.4.9","Activity.Duration":11,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...09/27/2024 14:43:38.500.OUTLOOK (0x15A8).0xE9C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-09-27T14:43:38.500Z","Contract":"Office.System.Activity","Activity.CV":"pAyu9Jq02kuI5E+bKEM9vA.4.10","Activity.Duration":13469,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

                C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727448218432143600_F4AE0CA4-B49A-4BDA-88E4-4F9B28433DBC.log

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                Malicious:false
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240927T1043380140-5544.etl

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):94208
                Entropy (8bit):4.4870300210310035
                Encrypted:false
                SSDEEP:768:SG7SkLvTzaF4UvxR9wgX8eEUM0ZVKlg9KASKlLpE0g4hq9IIy8K6a4naj9i7UQNL:+4naj9i7OSXwk
                MD5:876C7C1BE7023C7EE7ADCFC621FD92E8
                SHA1:004C57D4AEE3855FAD292A7B93ACA81360CCC105
                SHA-256:EE4AA33CB8C325B50055822A4AAC1F548594AD778FA53C43A3C87E8C6B0CD28A
                SHA-512:AC3449704B210DD122427C130A733251D6FAFFA0FFADE610D8E801CF726955F2C34318181810DA9A80C20ED9F1FEE20D857CE8324591CF57CFF143DA64A2CBBB
                Malicious:false
                Preview:............................................................................b............X.....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@YP%.............X.............v.2._.O.U.T.L.O.O.K.:.1.5.a.8.:.3.c.a.5.b.7.9.7.8.5.d.0.4.c.b.a.9.3.9.b.7.b.0.7.9.f.0.a.3.6.0.f...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.9.2.7.T.1.0.4.3.3.8.0.1.4.0.-.5.5.4.4...e.t.l.............P.P..........X.....................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\~DFAA205EE4A6FF9853.TMP

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):163840
                Entropy (8bit):0.3714429372560909
                Encrypted:false
                SSDEEP:192:eWrzl/fx3A2IJutlwJYqgkhpMNvKoNgiXHWQOoIAbAFAqwNh/:eyz5fWJh7hpMNv4iXHOoIMu
                MD5:3B47D6DE10AADD0342230160F04616FB
                SHA1:62D647C66B3F79A3B18AF5833425102BE52794B5
                SHA-256:664660B67A185D89CE27926FFA9557ECB3F4F2E3B36EFE5CF5743FA89EBD4203
                SHA-512:6FBFF85C40CE3DDA4E1A382BD00ACBD035747EF397CC56112E04BC1AB56C5D4CCB07076E12EEB02E5FE895DE047C2AB64F35377E0F31873E2674611CE21F7A21
                Malicious:false
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):30
                Entropy (8bit):1.2389205950315936
                Encrypted:false
                SSDEEP:3:y//t:y/
                MD5:43D259C779337EA6A554A9F37266451B
                SHA1:BB31CDF071998C8BBF1A5F3BBEFF76BDE82DE737
                SHA-256:CAA526FFBBC11D11456C5D22F7273E2BA3DA62EC2CBB46E49009F51F2EB2DE82
                SHA-512:99DA9C4B119A6824B183B6F9861CE8C6B178F0FB4F08E90E7BD369BDFE67FD772E856C7955AC9CDE1B450A00D285446D6B48BF9772AF982E253807016066BABC
                Malicious:false
                Preview:....E.........................

                C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):16384
                Entropy (8bit):0.66995594612575
                Encrypted:false
                SSDEEP:12:rl3baFSqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCBm:rYmnq1Py961Q
                MD5:5BDFF03F9651E563C97DC621FCC148C7
                SHA1:2FBFB4E7D11847167E2116C656FC5BCD85516890
                SHA-256:42880B21E0478A3D82243D1740A7059E174568B48268F7BC46699D18607E4974
                SHA-512:E5E82DE0F5641FDBF1790FB687702F14C534763E343996CABFBCDF366A65A58897237CC64CB5DB17E3734FEE54ED38B5D4DA7AB0430F8677E31324BD2F7C02B0
                Malicious:false
                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:Microsoft Outlook email folder (>=2003)
                Category:dropped
                Size (bytes):271360
                Entropy (8bit):1.4985219229681206
                Encrypted:false
                SSDEEP:768:hvQcyENY1WjfDa1EUjVcgZ526AG5xitZqakRGT8BUTIZL:hOqjrhUjNZ5Xp4XkueNZL
                MD5:E1729E07DC3587935998FBD562EB7F2F
                SHA1:55EB2008ECD3611E88B6DEEBC92CF4E97E2BBDAA
                SHA-256:0F3783039A8AF60113A06BFC93346145B4C7951B1EDEBB96B4239C21BAF28317
                SHA-512:E8A452164507546EC1C11BE8D1FE08CAACEE49F52A729C055326FC470BE41A2E7294DE859C4AB3218B93C8909C9A7487B2C2E149E5D0A71337E6EB9BD37D6120
                Malicious:false
                Preview:!BDN.V..SM......\...p...................\................@...........@...@...................................@...........................................................................$.......D.......C..........................................................................................................................................................................................................................................................................................................................H..........[........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):0.7994462835225462
                Encrypted:false
                SSDEEP:192:Z0DwjTIoOJMZDe2MrzTJsHytLN2NcwjohjDkF8kVtt:FjTIXJYDeTqHy36cwgjDkVVT
                MD5:D67914443A8F84FBBC5863D6B9762000
                SHA1:A4DF27C289CB18013984D6CF3056731FFC3A866C
                SHA-256:B4A9502640D3C419CFEAFF9B173BDCF1CA3B8F85E9857EEE599CB9E6720ECE9B
                SHA-512:242F7F361D7F7187C9011475327BDBDBD27462FD2C41D972D69D3FC750F7611A3AFB550F001FCB3B0DBF794F65FFC86DED4FA2FED0F83C6C319158ADF45B12D5
                Malicious:false
                Preview:q..C...G...........2s........................#.!BDN.V..SM......\...p...................\................@...........@...@...................................@...........................................................................$.......D.......C..........................................................................................................................................................................................................................................................................................................................H..........[....2s...........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:CDFV2 Microsoft Outlook Message
                Entropy (8bit):4.268005180633721
                TrID:
                • Outlook Message (71009/1) 58.92%
                • Outlook Form Template (41509/1) 34.44%
                • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                File name:Potential Phish.msg
                File size:72'704 bytes
                MD5:99f39a8d4dd42f201afdd2e04db8cbb1
                SHA1:7670a68e05f9b0ab5b7f3777c641eea5adb275c0
                SHA256:c6813fd4b2aa76220ca019634a1401a1147f47b3243ea4c6861a76a432804f60
                SHA512:f67d339fdd81e08354096b445d66a21aea21f9b3cc5cb43822d5a000d9e0c589fd5f5555338306822898a83d86210d234db2412c9abff1ea71627213ccdfe3b0
                SSDEEP:1536:3xjknLSKCAQav5uU8Lu7iKPEf2WMWh9gM7U0av5z8r7cM:3x1KYaQU65L7at8
                TLSH:BC63F12436FA0119F1B79F725DE290979937BD92AD309A4E3185334E0773980ED62B3B
                File Content Preview:........................>......................................................................................................................................................................................................................................

                Static Mail

                General

                Subject:[EXTERNAL] The FTC announces a crackdown on "deceptive AI claims and schemes" by companies including legal services firm DoNotPay, which claimed to offer a "robot lawyer" (Dan Mangan/CNBC)
                From:Parkinson Alejo <parkinsonsa54@gmail.com>
                To:Kelsey Rodich <kelsey.rodich@midoregon.com>
                Cc:
                BCC:
                Date:Thu, 26 Sep 2024 06:55:50 +0200
                Communications:
                • THINK FIRST! This e-mail is from an external sender. Please use caution with attachments and links. ________________________________ Dan Mangan / CNBC:The FTC announces a crackdown on deceptive AI claims and schemes by companies including legal services firm DoNotPay, which claimed to offer a robot lawyer Th...
                Attachments:

                  Headers

                  Key Value
                  Content-Typetext/html; charset="utf-8"
                  Content-Transfer-Encodingbase64
                  DateWed, 25 Sep 2024 21:55:50 -0700
                  FromParkinson Alejo <parkinsonsa54@gmail.com>
                  Subject[EXTERNAL] The FTC announces a crackdown on "deceptive AI claims and schemes" by companies including legal services firm DoNotPay, which claimed to offer a "robot lawyer" (Dan Mangan/CNBC)
                  ToKelsey Rodich <kelsey.rodich@midoregon.com>
                  Message-Id<CA+gSnQnQRRN8m9NSROor_cQ9R7XPH4fNCzV71VGC0KwsqfiH7g@mail.gmail.com>
                  Receivedby mail-il1-f170.google.com with SMTP id e9e14a558f8ab-3a08c5a2bddso2558635ab.2 for <kelsey.rodich@midoregon.com>; Wed, 25 Sep 2024 21:56:03 -0700 (PDT)
                  Authentication-Resultsspf=pass (sender IP is 209.85.166.170) smtp.mailfrom=gmail.com; dkim=fail (signature did not verify) header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass reason=100
                  Received-SPFPass (protection.outlook.com: domain of gmail.com designates 209.85.166.170 as permitted sender) receiver=protection.outlook.com; client-ip=209.85.166.170; helo=mail-il1-f170.google.com; pr=C
                  Authentication-Results-Originalppops.net; spf=pass smtp.mailfrom=parkinsonsa54@gmail.com; dkim=pass header.d=gmail.com header.s=20230601; dmarc=pass header.from=gmail.com
                  DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1727326562; x=1727931362; darn=midoregon.com; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=h5QUg0rbnxj3wogRe7pOxqceNzY1a0kUvk4tp5JGak8=; b=nkLFODy7wabOP/FTuyy1ulWFYbeqkzX7CHYqLQL59j8XnmBu/R5s/dPk9TBOv6TQbo QmIVSioMacTWLWFcZOrYpzwopy0Aw9DLxgLkrSsh6LGOlsE6T9K3Ike2IqJa55yOleFB Q/viwwwpFFsM4ROPVH6B5qra+E2smKi0W1+RMTV3Yu9A+BZWDVcgA0JuZxjt7tx+5uq7 mDXI8cRD/8R++7aZR+M0CZ64/dUSdCiCRiaIJ30JltM891dtI3XNAO/L4R93Z3oqTMCC 8HQ/JviOIZQsloBvurQglowpKd7nHRIvwI8Dt3uIGpn0mPi2cTKrV3p2ZoAU0IrtHETh tBcw==
                  X-Google-DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727326562; x=1727931362; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=h5QUg0rbnxj3wogRe7pOxqceNzY1a0kUvk4tp5JGak8=; b=kwsBVDkysO+0ft+3pI1hiQJYcb/Q12B81J/spuNNNuejtQQNAcHuAd4cDo3+OBSMIk eFRwhvBriq7Ip4hCFuxwPX23JdGGXqW4eF7VeTyqkO1lwJFwonVScl9I+j8VF0LwzpDW 8HKBso4GchYz75PDeGw6d4ZM5PbGqlJ/rKg0bpNx/SETGLGWhUjQb4qBd7BiwJ+fCzM9 mGdmh973t+HmQFpzQc955HzJF0KkHzKJTCdyOJzy6zhjp7XEdmN61alw76S1DlrvhFv4 bJjzNRlMCri+m1VgwIT8AHnKVIuoXmtwI8/XoDweA5gMZMfqBdT45O+p6lcyn2MiOsKw 6mjg==
                  X-Gm-Message-StateAOJu0YxsuK3PqyplYp/j7XHFN5ET1YwYCkXcs0RU4iDgYyFAyU7b+6Bm FNsxrAXUVXz4MYhW/6qFPj0fR3pD+IaimEhxVZ6PWNZMyO2/9pNhKbuM+JlpKRCf6Rdh93vzor3 miIA/NIW7WUW3njCifESfOZqcl9TbQA==
                  X-Google-Smtp-SourceAGHT+IFmBBxyOcLn3iPV0KbIgtKhV4KHcsmMl2iY0D7ClE2l+CYuWe0h779HKcPldmB+TRY/cKAKTVlYvoyrQrNXhEU=
                  X-Receivedby 2002:a05:6e02:20c9:b0:3a2:463f:fd9f with SMTP id e9e14a558f8ab-3a26d75a43amr51510005ab.11.1727326562342; Wed, 25 Sep 2024 21:56:02 -0700 (PDT)
                  X-Proofpoint-GUIDBoTNvjM1Rn_KV9MXH4EImfJ927IZPP0z
                  X-CLX-ShadesMLX
                  X-Authority-Analysisv=2.4 cv=EY6aQ+mC c=1 sm=1 tr=0 ts=66f4e963 cx=c_pps a=CJPXSJsgTIwo90TrqDPtZQ==:117 a=jmY1hS42oqOgdVTC:21 a=EaEq8P2WXUwA:10 a=x7bEGLp0ZPQA:10 a=rgKtn6bLMnwA:10 a=95EFz5htlIgA:10 a=MyTZsU5fHIGG00uE7EsA:9 a=QEXdDO2ut3YA:10 a=VJOerCAQz1gUjfy2LL8A:9 a=8CnIJ59McsUPOIFgxzpU:22 a=Uz9EnhuHEG25YKoRyM-d:22
                  X-Proofpoint-ORIG-GUIDBoTNvjM1Rn_KV9MXH4EImfJ927IZPP0z
                  X-CLX-Response1TFkXGxwZEQpMehcZHxMRCllEF2JDGhwBZH1TcxpLEQpYWBdsEx5OSGBSXlJ 4RxEKeE4XY1Nja3sTWH4aX14RCnlMF2tjU2ZpREgaBUQYEQpDSBcHGxMRCkNZFwcYHhgRCkNJFx oEGhoaEQpZTRdnZnIRCllJFxpxGhAadwYbHhlxGBwQGncGGBoGGhEKWV4XbGx5EQpJRhdHQ05FW E9NRUR1QkVZXk9OEQpJRxd4T00RCkNOF2hFfmRcQGcbeER1YXwTZ3JiHm9jR0xgExgdY3B6ehpQ EQpYXBcfBBoEGR0cBRsaBBsbGgQbGR4EGR8QGx4aHxoRCl5ZF09hRRkBEQpNXBcTHREKTFoXaUJ NaxEKTEYXb2tra2trEQpCTxdtbVJNa2xbb0hsbREKQ1oXGBoTBBIfBBscHAQbHRoRCkJeFxsRCk JcFxsRCl5OFxsRCkJLF2NTY2t7E1h+Gl9eEQpCSRdjU2NrexNYfhpfXhEKQkUXaFxQTX1NHGV/U 3MRCkJOF2NTY2t7E1h+Gl9eEQpCTBdsEx5OSGBSXlJ4RxEKQmwXZF1ZHF1eZkZ/TG8RCkJAF28Z Z1JYaBpYSWVDEQpCWBdkbk1pfm1IQBpiAREKTV4XGxEKWlgXGBEKeUMXbRlwe0Nif0hMQWMRCll LFxsaHBkdEQpwaBdjY0ZpS2t9YW1pRBATGhEKcGgXa3wSEm5mUk1IR0kQEx8RCnBoF2xObVoBXE FBEx1HEBMaEQpwaBdhRXlwYXpraXl6UxATGhEKcGgXYQFyTXh8WGlHEkYQHhIRCnBsF3p5QEwZZ 3NwaBplEBkaEQptfhcbEQpYTRdLESA=
                  X-Proofpoint-Virus-Versionvendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-25_16,2024-09-26_01,2024-09-02_01
                  X-Proofpoint-Spam-Detailsrule=inbound_notspam policy=inbound score=0 impostorscore=0 mlxscore=0 malwarescore=0 spamscore=0 clxscore=163 adultscore=0 phishscore=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=359 unknownsenderscore=20 classifier= authscore=0 authtc= authcc= adjust=0 reason=mlx scancount=1 engine=8.21.0-2408220000 definitions=main-2409260030 domainage_hfrom=10637
                  Return-Pathparkinsonsa54@gmail.com
                  X-MS-Exchange-Organization-ExpirationStartTime26 Sep 2024 04:56:05.2800 (UTC)
                  X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
                  X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
                  X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
                  X-MS-Exchange-Organization-Network-Message-Ida1a46005-0598-4969-1db6-08dcdde7870e
                  X-EOPAttributedMessage0
                  X-EOPTenantAttributedMessage0371eb25-ee03-4fa8-9aa3-21c59e2c5ed9:0
                  X-MS-Exchange-Organization-MessageDirectionalityIncoming
                  X-MS-Exchange-SkipListedInternetSenderip=[209.85.166.170];domain=mail-il1-f170.google.com
                  X-MS-Exchange-ExternalOriginalInternetSenderip=[209.85.166.170];domain=mail-il1-f170.google.com
                  X-MS-PublicTrafficTypeEmail
                  X-MS-TrafficTypeDiagnosticMWH0EPF000971E7:EE_|CY8PR12MB7169:EE_|IA1PR12MB9029:EE_
                  X-MS-Exchange-Organization-AuthSourceMWH0EPF000971E7.namprd02.prod.outlook.com
                  X-MS-Exchange-Organization-AuthAsAnonymous
                  X-MS-Office365-Filtering-Correlation-Ida1a46005-0598-4969-1db6-08dcdde7870e
                  X-MS-Exchange-Organization-SCL-1
                  X-MS-Exchange-Organization-BypassClutterTrue
                  X-Microsoft-AntispamBCL:0;ARA:13230040|82310400026|7093399012;
                  X-Forefront-Antispam-ReportCIP:148.163.140.223;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mail-il1-f170.google.com;PTR:mail-il1-f170.google.com;CAT:NONE;SFS:(13230040)(82310400026)(7093399012);DIR:INB;
                  X-MS-Exchange-CrossTenant-OriginalArrivalTime26 Sep 2024 04:56:04.8582 (UTC)
                  X-MS-Exchange-CrossTenant-Network-Message-Ida1a46005-0598-4969-1db6-08dcdde7870e
                  X-MS-Exchange-CrossTenant-Id0371eb25-ee03-4fa8-9aa3-21c59e2c5ed9
                  X-MS-Exchange-CrossTenant-AuthSourceMWH0EPF000971E7.namprd02.prod.outlook.com
                  X-MS-Exchange-CrossTenant-AuthAsAnonymous
                  X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                  X-MS-Exchange-Transport-CrossTenantHeadersStampedCY8PR12MB7169
                  X-MS-Exchange-Transport-EndToEndLatency00:00:03.1184377
                  X-MS-Exchange-Processed-By-BccFoldering15.20.7982.022
                  X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
                  X-Microsoft-Antispam-Message-InfoH8xQPChp0sy1+dsa7f0TRY+3qnJ/IVN7OduQGDSZh8cH35pbg0RJzziqIFKbydseP7ykcsm03UwGEsgx8Adv7nioHKBTUNLLJgEFbRXVl1jvInEe+Hk60r8nghHtwZlgy34QkJU9Q6hEGHGKbuZfngpEivxcDGmIaUN9Hdp21V876hSGCik+30cMVZnJX12SeodzXwgo3RBH/xmG2HdsSI+1Zselg10d0V108QVP7t/oGoMoKK8O6Kj8NmI7YJ3L4t9YMr0QEg5/8JfJE+Hg5fWuOz30UoVeA7w/cBR097BaLy/X3GQD0AaV84H9OseMv5mnR8PnGV87EzXmZuFDz4loemxh1/5VXk/RQElzpI82aJ8bGQIEVJ83e9KKTBIyJDScVWnqTt2PPkxAdWzh7wywD9WK1R4exRaOuyGOfSVnGzSrhwKNVFcJRYT1jGyWsU+hvMn9iZi/gZK4U904U7GKD/GzFHrjlKYhuXcK4hiSNkvtWr9MXt94Mw3iUz9p32N6/5jqAOcJIAOZ9BSKDK+z3400CwclfJJSRHersKljtE5DJ3ciDBbcd9YhvPq5HW9dtqyxNZvRJJzeNF4uxG+UmESyMG+oCV0k6kZLPx1VP3BL021huextUy757Kl3O/gAYR8euMvKMk6bP2MIJxLG2L5esA6S7/acjnDGhwa6rlaCXdkD6lrC3mfk/oDG8Mpw0v1opDRbCG0Xus09t+xzFY19eq4TpQgYkYXMfDGWbanzVe+Ea5AXJMXfMKDiLJ2P6Rl+7jfP6YH03x8tHr4v6GHzXVeItGD9yUjgRhb1BvePIVfKfqGDEwxgk1QTqdbvgeBS42yPtBc5+fqpWKXV/Quwm8batJl7Hwu9GP5pvA8F827kkXi+E/BOrD2ItvYv1WPLHJsxzc+3uGxvW2oUaSy7I8/PjVzFb26SKjwEdelX2MYrZVRim++E1UAZd7O
                  X-PhishAlarm-FormatPhishAlarm O365 Add-In/4.4.190
                  dateThu, 26 Sep 2024 06:55:50 +0200

                  File Icon

                  Icon Hash:c4e1928eacb280a2

                  Network Behavior

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 27, 2024 16:43:44.837016106 CEST53610441.1.1.1192.168.2.4

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:10:43:35
                  Start date:27/09/2024
                  Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Potential Phish.msg"
                  Imagebase:0x400000
                  File size:34'446'744 bytes
                  MD5 hash:91A5292942864110ED734005B7E005C0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:1
                  Start time:10:43:39
                  Start date:27/09/2024
                  Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5F19DBE1-A52C-4D03-ACEC-422148DC4050" "CFEE4B90-F8DB-44A5-A42E-3BE4AD11C3DE" "5544" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                  Imagebase:0x7ff73d850000
                  File size:710'048 bytes
                  MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  Disassembly

                  No disassembly