Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Remittance AdviceNote 46bf2e6451b485c12ea123d451b869f8.eml

Overview

General Information

Sample name:Remittance AdviceNote 46bf2e6451b485c12ea123d451b869f8.eml
Analysis ID:1523715
MD5:94a804b9ca17adbe945d145f98a26d29
SHA1:a4b3a35b7d748d0764afa4a43916ee3d2ca5ee8c
SHA256:f16f3928eaad112645f4ac6562c084ec7750d8c4999dbb1348627368fef1fb8d
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7980 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Remittance AdviceNote 46bf2e6451b485c12ea123d451b869f8.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7372 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DB308FDE-8E79-4FFB-8803-EF8869D7AE6C" "96143240-E0D4-4601-9735-8501DCA8F7C5" "7980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7980, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.aadrm.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.aadrm.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.cortana.ai
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.diagnostics.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.microsoftstream.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.office.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.onedrive.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://api.scheduler.
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://app.powerbi.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://augloop.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://augloop.office.com/v2
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://canary.designerapp.
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cdn.entity.
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://clients.config.office.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://clients.config.office.net/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cortana.ai
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cortana.ai/api
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://cr.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://d.docs.live.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://dev.cortana.ai
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://devnull.onenote.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://directory.services.
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ecs.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://edge.skype.com/rps
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://graph.ppe.windows.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://graph.windows.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://graph.windows.net/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ic3.teams.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://invites.office.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://lifecycle.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://login.microsoftonline.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://login.microsoftonline.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://login.windows.local
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://make.powerautomate.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://management.azure.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://management.azure.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://messaging.action.office.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://messaging.office.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://mss.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ncus.contentsync.
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://officeapps.live.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://officepyservice.office.net/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://onedrive.live.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://otelrules.azureedge.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://outlook.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://outlook.office.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://outlook.office365.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://outlook.office365.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://powerlift-user.acompli.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://powerlift.acompli.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://res.cdn.office.net
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://service.powerapps.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://settings.outlook.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://staging.cortana.ai
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://substrate.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://tasks.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://webshell.suite.office.com
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://wus2.contentsync.
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 2770B202-5777-4EBB-8EB8-2D56242563E2.1.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/15@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241001T1819180690-7980.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Remittance AdviceNote 46bf2e6451b485c12ea123d451b869f8.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DB308FDE-8E79-4FFB-8803-EF8869D7AE6C" "96143240-E0D4-4601-9735-8501DCA8F7C5" "7980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DB308FDE-8E79-4FFB-8803-EF8869D7AE6C" "96143240-E0D4-4601-9735-8501DCA8F7C5" "7980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1523715 Sample: Remittance AdviceNote 46bf2... Startdate: 02/10/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 64 132 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-user.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe
https://entitlement.diagnostics.office.com0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:14432770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://designerapp.azurewebsites.net2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectors2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/query2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.net2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v12770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://cortana.ai2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/imports2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://cloudfiles.onenote.com/upload.aspx2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://canary.designerapp.2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
    		unknown
    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
    • URL Reputation: safe
    		unknown
    https://cr.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
    • URL Reputation: safe
    		unknown
    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
      		unknown
      https://messagebroker.mobile.m365.svc.cloud.microsoft2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
      • URL Reputation: safe
      		unknown
      https://otelrules.svc.static.microsoft2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        		unknown
        https://portal.office.com/account/?ref=ClientMeControl2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        • URL Reputation: safe
        		unknown
        https://clients.config.office.net/c2r/v1.0/DeltaAdvisory2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        • URL Reputation: safe
        		unknown
        https://edge.skype.com/registrar/prod2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        • URL Reputation: safe
        		unknown
        https://graph.ppe.windows.net2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        • URL Reputation: safe
        		unknown
        https://res.getmicrosoftkey.com/api/redemptionevents2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        • URL Reputation: safe
        		unknown
        https://powerlift-user.acompli.net2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        • URL Reputation: safe
        		unknown
        https://tasks.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        • URL Reputation: safe
        		unknown
        https://officeci.azurewebsites.net/api/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        • URL Reputation: safe
        		unknown
        https://sr.outlook.office.net/ws/speech/recognize/assistant/work2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        • URL Reputation: safe
        		unknown
        https://api.scheduler.2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
        • URL Reputation: safe
        		unknown
        https://my.microsoftpersonalcontent.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
          		unknown
          https://store.office.cn/addinstemplate2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
          • URL Reputation: safe
          		unknown
          https://api.aadrm.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
          • URL Reputation: safe
          		unknown
          https://edge.skype.com/rps2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
          • URL Reputation: safe
          		unknown
          https://outlook.office.com/autosuggest/api/v1/init?cvid=2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            		unknown
            https://globaldisco.crm.dynamics.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://messaging.engagement.office.com/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://dev0-api.acompli.net/autodetect2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://www.odwebp.svc.ms2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://api.diagnosticssdf.office.com/v2/feedback2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://api.powerbi.com/v1.0/myorg/groups2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://web.microsoftstream.com/video/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://api.addins.store.officeppe.com/addinstemplate2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://graph.windows.net2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://dataservice.o365filtering.com/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://officesetup.getmicrosoftkey.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://analysis.windows.net/powerbi/api2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://prod-global-autodetect.acompli.net/autodetect2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://substrate.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://outlook.office365.com/autodiscover/autodiscover.json2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://consent.config.office.com/consentcheckin/v1.0/consents2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
            • URL Reputation: safe
            		unknown
            https://d.docs.live.net2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
              		unknown
              https://safelinks.protection.outlook.com/api/GetPolicy2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
              • URL Reputation: safe
              		unknown
              https://ncus.contentsync.2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
              • URL Reputation: safe
              		unknown
              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                		unknown
                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                http://weather.service.msn.com/data.aspx2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://apis.live.net/v5.0/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://officepyservice.office.net/service.functionality2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://templatesmetadata.office.net/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://messaging.lifecycle.office.com/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://mss.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://pushchannel.1drv.ms2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://management.azure.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://outlook.office365.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://wus2.contentsync.2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://incidents.diagnostics.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://clients.config.office.net/user/v1.0/ios2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://make.powerautomate.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://api.addins.omex.office.net/api/addins/search2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://insertmedia.bing.office.net/odc/insertmedia2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://outlook.office365.com/api/v1.0/me/Activities2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://api.office.net2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://incidents.diagnosticssdf.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://asgsmsproxyapi.azurewebsites.net/2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://clients.config.office.net/user/v1.0/android/policies2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://entitlement.diagnostics.office.com2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown
                https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json2770B202-5777-4EBB-8EB8-2D56242563E2.1.drfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1523715
                Start date and time:2024-10-02 00:18:11 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 52s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Remittance AdviceNote 46bf2e6451b485c12ea123d451b869f8.eml
                Detection:CLEAN
                Classification:clean1.winEML@3/15@0/0
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .eml

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 2.19.126.160, 2.19.126.151, 20.50.73.4
                • Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, onedscolprdneu13.northeurope.cloudapp.azure.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com, a1864.dscd.akamai.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: Remittance AdviceNote 46bf2e6451b485c12ea123d451b869f8.eml

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):231348
                Entropy (8bit):4.392126066812901
                Encrypted:false
                SSDEEP:3072:B+Csgio9eRKXuQgNKmiGu2JmFNqoQVxrt0FvtTe2Rx9QqUirHg1Ai96csGTwrfG2:8Clmi2P+nRmil
                MD5:C308FA3F9E161A95197472565E08FCBB
                SHA1:23EBD0A9286D3C4064AA241EF021B93B61EF1B7E
                SHA-256:AA6C11E89136ADCBE5436CCA0C372C93885BD39520604B672BD379DEED1C66EE
                SHA-512:582B563FE523B10F8D3045EFB5B3E828B2C206905845014F0C7348EE9F7A8FFAB4164861DB4AFAD3582AFEB682F7384B0FECE6C3E42045D5FE4588B2A722FA01
                Malicious:false
                Reputation:low
                Preview:TH02...... .....O.......SM01X...,.......O...........IPM.Activity...........h...............h............H..h.........s.....h............H..h\FRO ...1\Ap...h...0...h......h.u.............h........_`Pk...hit..@...I.tw...h....H...8.Uk...0....T...............d.........2h...............kQmB_..........!h.............. hy.............#h....8.........$h........8....."h..............'h..............1h.u..<.........0h....4....Uk../h....h.....UkH..h....p.........-h .............+h.u......................... ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:ASCII text, with very long lines (65536), with no line terminators
                Category:dropped
                Size (bytes):322260
                Entropy (8bit):4.000299760592446
                Encrypted:false
                SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
                MD5:CC90D669144261B198DEAD45AA266572
                SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
                SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
                SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
                Malicious:false
                Reputation:high, very likely benign file
                Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

                C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:ASCII text, with no line terminators
                Category:modified
                Size (bytes):10
                Entropy (8bit):1.8954618442383218
                Encrypted:false
                SSDEEP:3:LCVULX:kULX
                MD5:E0EF5407AAEB22AA5E6C0FB9C2D2056E
                SHA1:51A59D58C5FC98CE7A18B4AFD29D9AE43E82F9F8
                SHA-256:E0F1B031458E7A15857E3FCF79643E2FE95670AC21EC92FD98CD81C930739C6D
                SHA-512:3C61EC72F50B27BE1F2D698ED865C4462F932704138BEE753784CA25F27510879287FB3C7A76B8A25B6AD28C135FD3AC2B7C690A7495EAD7B176E3AD326B668C
                Malicious:false
                Reputation:low
                Preview:1727821172

                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2770B202-5777-4EBB-8EB8-2D56242563E2

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):177088
                Entropy (8bit):5.286722716827402
                Encrypted:false
                SSDEEP:1536:Ui2XfRAqcbH41gwEwLe7HW8bM/o/NM5cAZl1p5ihs7EXXCEAD2OdaLI:xCe7HW8bM/o/9XPkiI
                MD5:C4F923DE72C43F864EAD5A7980F8040C
                SHA1:45F5C1B9BCF73075E7C6AF238E7AB3576E24AB7D
                SHA-256:D5A2B0AAF1CA669480B51F2D75C519CAA5B057D0E3F8AEC26EA989DA8E449A4F
                SHA-512:75164E397D6765C901E6379865091C0516DF313A232BCF3B711517C5B8F9020D589AF285ECD0BBC31F2A8E33DC1C9177786C77D07C52E02E563A242B787327B3
                Malicious:false
                Reputation:low
                Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-01T22:19:23">.. Build: 16.0.18112.40129-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                Category:dropped
                Size (bytes):4096
                Entropy (8bit):0.09304735440217722
                Encrypted:false
                SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
                MD5:D0DE7DB24F7B0C0FE636B34E253F1562
                SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
                SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
                SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:SQLite Rollback Journal
                Category:dropped
                Size (bytes):4616
                Entropy (8bit):0.13784977103055013
                Encrypted:false
                SSDEEP:3:7FEG2l++EH/FllkpMRgSWbNFl/sl+ltlslN04l9XllK:7+/l9Kg9bNFlEs1E39C
                MD5:B356EDCD35D38C60831AA9277A1312F6
                SHA1:98C8146F9A6BF395752C47A8B7D7F1F2BC2A7867
                SHA-256:E364C8472CA09C48F47FCC78A1A2B10E7DF04DA7E82F4BEE00FB30AAAFC55C36
                SHA-512:08D1C8E790AFD22F92DD05670E4565D734780A9213417534E6385BA089BC4DBA978F4BA477795F03A6752775FDFBB508982CEFCE9D89310FDBA9D360FC920975
                Malicious:false
                Reputation:low
                Preview:.... .c.......x.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):0.04450027198542196
                Encrypted:false
                SSDEEP:6:G4l2K4xSfLI7Al2K4xSfLIy0L9XXPH4l942U:l2K4xSjIM2K4xSjIT5A0
                MD5:A02BDB2AF7B499522909E6A0CD51937A
                SHA1:2A9C882FD6283FCC513BBE3D5D9C92D3AEB90FB5
                SHA-256:47C5D579D94D8C3E5784CDC1751052A0D4A329CADB060C400CAF2C2DE0E6A127
                SHA-512:6E19587A16676A575AE4FDB9B4817E1281CDB969CDC83CDBE1E209773647FADC6582644E76CB048DD5ADFBF9176ED21AD57C4FB4E8D31E7E4FBC4FA0AB3398EE
                Malicious:false
                Reputation:low
                Preview:..-......................~.G.Mr..\...{......d...-......................~.G.Mr..\...{......d.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:SQLite Write-Ahead Log, version 3007000
                Category:dropped
                Size (bytes):45352
                Entropy (8bit):0.39575742509063194
                Encrypted:false
                SSDEEP:24:KoDe/pQMIzRDYT0XiFill7DBtDi4kZERDYWwrxqt8VtbDBtDi4kZERDYMHv:ZeRQjoHill7DYMBcxO8VFDYM
                MD5:B2A31BADE59C7AC06863DE7669124F32
                SHA1:A9E516EAE42815CD4F60C0619AD1B2F83BF30E59
                SHA-256:F178A60973F69F7643D31EFD66F3C6E668257E1D3702640F24E803F6CCD5E88E
                SHA-512:1F7793312AF7703BA64E1A797B3A8E136A0F809835663361A58C18B36022D0E5428D991DA13BA4A5840F6025B9F5928209F72A8F5917C36B00F9C021BA454F3A
                Malicious:false
                Preview:7....-...........\...{..._.V............\...{....T.._.SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727821158940536400_48D7A9DE-0DE3-49A8-8B48-F904313E1FE6.log

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:ASCII text, with very long lines (28727), with CRLF line terminators
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.16121712300481753
                Encrypted:false
                SSDEEP:1536:SedTCQokBdT6Q4RG1cBj6Msbg1xA/aShng36XNWCD7iXSSNg61ajb8sTvujtlXBz:OBkPF4RbokA+
                MD5:29BE3DBBC2E9ADF648753F1FC3AC50AA
                SHA1:8831D593A9084B86FA3061A19AADE500531E5C63
                SHA-256:52C82B96A10B52C96B603F839EDDBE7618AEB62D09983E72D0EACFFDBD8A8DF1
                SHA-512:A73853526867352F847CC5855841AAD90B9550018A27414B964E6ED1464040736CF431E2D263CFF5F7C3A929906FB54E17066AF1CFF208324FCCA798BE54C18B
                Malicious:false
                Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/01/2024 22:19:19.143.OUTLOOK (0x1F2C).0x1F30.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":20,"Time":"2024-10-01T22:19:19.143Z","Contract":"Office.System.Activity","Activity.CV":"3qnXSOMNqEmLSPkEMT4f5g.4.9","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/01/2024 22:19:19.159.OUTLOOK (0x1F2C).0x1F30.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-10-01T22:19:19.159Z","Contract":"Office.System.Activity","Activity.CV":"3qnXSOMNqEmLSPkEMT4f5g.4.10","Activity.Duration":13508,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

                C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727821158949555600_48D7A9DE-0DE3-49A8-8B48-F904313E1FE6.log

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                Malicious:false
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241001T1819180690-7980.etl

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):110592
                Entropy (8bit):4.4902447324988985
                Encrypted:false
                SSDEEP:768:XWbFtRPwbKTcS2O/JYii4mD8R9zkxDshTbW+WszXyMUHZ8k3JBtZmTV:XA2OJ044I9zkxDshThXyR5xG
                MD5:42DDDE5DA36A0CE07BB972EEA1DB4080
                SHA1:A3360DA0DF72F2AD730BBB731C3DC2BFAEAC77F5
                SHA-256:A454F4ED480C0E34891F472138CB4BB3BF770C0813B4A41E3F85611184C566AA
                SHA-512:EF2E29F0554ABD709E5B71E8F211352C7C814ABD756DDC101B16051D6D9EB03F1CEFA7D7F765ED80456DD8F4BBA2A92F5DB7BB1CB1A6EE6141262A0BA642C659
                Malicious:false
                Preview:............................................................................h...0...,....X<.O...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................~..Q............X<.O...........v.2._.O.U.T.L.O.O.K.:.1.f.2.c.:.b.6.a.c.0.9.3.3.8.7.6.3.4.f.b.2.a.3.c.9.4.6.d.0.f.2.a.4.3.e.9.2...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.0.1.T.1.8.1.9.1.8.0.6.9.0.-.7.9.8.0...e.t.l.......P.P.0...,....X<.O...................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):30
                Entropy (8bit):1.2389205950315936
                Encrypted:false
                SSDEEP:3:1Chl1:Ih
                MD5:538BF482E4650E2768FD0F9A1199007B
                SHA1:69468EC7892E8FB0AFEF66D3B49849EBC003A0A1
                SHA-256:33A6B0F74F591BE6D90A07FE7C8904545A630E4812AD09E69725D22EAB9ACE74
                SHA-512:93ECDFFA6F16A8C50B3A271AE04E41C1787E6833DE30CC3CA436B7DB53176C71B644B851966ADA0035E1C6BE0F3F9A3E0BB4A99FC80B314B07E299F71DAEC4DC
                Malicious:false
                Preview:.....'........................

                C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):16384
                Entropy (8bit):0.6702893149660493
                Encrypted:false
                SSDEEP:12:rl3baFTqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCKqCwum:rbmnq1Py961Owum
                MD5:CF1F8BF1B638B0E603768F0B5646A920
                SHA1:0FBC9A1706219EE6836F1F248C0DC73597AF7E91
                SHA-256:2AF701A006372605C86F9D7454D44D880DCD4E133A4566E7658121EE1FCA1EE7
                SHA-512:A4A34BE248C6D81B4C015B050C0C88B307F2168DF1EFDA8FEC9FD046131EE2C25AADC3A303E073C7EEF5730954B7A9C732FD336947081C630FD22402524CA816
                Malicious:false
                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:Microsoft Outlook email folder (>=2003)
                Category:dropped
                Size (bytes):271360
                Entropy (8bit):2.3486075169754694
                Encrypted:false
                SSDEEP:1536:P3nnmcfkHxL1QZoMiXU/FSnzKEyjtRyW53jEpEHP4qQ10PAwrmax/FW53jEpEHPN:vmfxc5/FStNp9xOp9
                MD5:ED65B0FCA742C188BAD6DEF1D3410397
                SHA1:76418EEF6338FDBE125A1689CFA38024C95B70F9
                SHA-256:30B3BC8E89D2C9E877544D787EDBA5F78FE7CB774A14C3BEFCD1053A78A334B6
                SHA-512:F0C207B09933C6BCEC4B98E554E4B4E2648B2F7E6483CC4BC770D74CED4AB206116E2B8F86E48711D5654A7CF41EEBEC759764A8241421CCD5547AAB75764C7D
                Malicious:false
                Preview:!BDNN..'SM......\.... ..........N.......b................@...........@...@...................................@...........................................................................$.......D......................J...............M...........................................................................................................................................................................................................................................................................................(........._%..E.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):2.896671028478702
                Encrypted:false
                SSDEEP:1536:pg6/FhnzKaZNW53jEpEHP4qQ10PAwrbBReLbF/LaS:T/Fhxbp9l9a
                MD5:C12FF8D8596C5B854430C3621D412150
                SHA1:7713624D33A66B6627FB0F6C86B6DA62F433B3C8
                SHA-256:2414DA2FCE51B8F31EC8760E2D8BF523E9E081398BDF1FD3F54810E5ABE2C37A
                SHA-512:7D4464C86696A8B77132C3F00A944FBFF2FCCB71B9259BFAB0FC938AE458C3E225B12F7D55533B0C3A856031240530D3651F2F957345E70DA2C73864FA99ABC7
                Malicious:false
                Preview:....C...c.......,...6..O.....................#.!BDNN..'SM......\.... ..........N.......b................@...........@...@...................................@...........................................................................$.......D......................J...............M...........................................................................................................................................................................................................................................................................................(........._%..E.6..O........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:RFC 822 mail, ASCII text, with CRLF line terminators
                Entropy (8bit):6.063838130865101
                TrID:
                • E-Mail message (Var. 5) (54515/1) 100.00%
                File name:Remittance AdviceNote 46bf2e6451b485c12ea123d451b869f8.eml
                File size:8'591 bytes
                MD5:94a804b9ca17adbe945d145f98a26d29
                SHA1:a4b3a35b7d748d0764afa4a43916ee3d2ca5ee8c
                SHA256:f16f3928eaad112645f4ac6562c084ec7750d8c4999dbb1348627368fef1fb8d
                SHA512:7d0194358bd5ffc5d05d24bcb1b4d6fe954288c08e891aba8bcd6d18f7697e0b0cdf1dd2637b4d48382d1d66baf0ea6e8f94fe3a80359509ea94771ed48194df
                SSDEEP:96:MRIwIRizOnN3chU4XZYIvYI43x0iD1lA+nEqRyHbtiZd4IfcqsCNQjRprum9jRUn:xZKX6x0WlA+RYJI4ISn1fUOdISR6VeOx
                TLSH:E4020B48CE259829DE6221C61C483D4BA7F73AD778F364C17884D5E606DB4EADF8148F
                File Content Preview:Received: from CH0PR14MB7144.namprd14.prod.outlook.com (2603:10b6:610:18d::6).. by IA1PR14MB6320.namprd14.prod.outlook.com with HTTPS; Wed, 4 Sep 2024.. 13:40:21 +0000..Received: from BYAPR05CA0085.namprd05.prod.outlook.com (2603:10b6:a03:e0::26).. by CH0

                Static Mail

                General

                Subject:Remittance AdviceNote 46bf2e6451b485c12ea123d451b869f8
                From:ePayment Confirmation <contact@familylaw-va.com>
                To:zmulligan@harmonycares.com
                Cc:
                BCC:
                Date:Wed, 04 Sep 2024 13:40:14 +0000
                Communications:
                  Attachments:

                    Headers

                    Key Value
                    Receivedfrom [127.0.0.1] (141.95.114.239) by CO1PEPF000042AE.mail.protection.outlook.com (10.167.243.43) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7918.13 via Frontend Transport; Wed, 4 Sep 2024 13:40:16 +0000
                    Authentication-Resultsspf=fail (sender IP is 141.95.114.239) smtp.mailfrom=familylaw-va.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=familylaw-va.com;compauth=none reason=405
                    Received-SPFFail (protection.outlook.com: domain of familylaw-va.com does not designate 141.95.114.239 as permitted sender) receiver=protection.outlook.com; client-ip=141.95.114.239; helo=[127.0.0.1];
                    Content-Typetext; name="Electronic_Receipt_ATT0001.htm"
                    Content-Transfer-Encodingbase64
                    Content-Dispositionattachment; filename="Electronic_Receipt_ATT0001.htm"
                    FromePayment Confirmation <contact@familylaw-va.com>
                    Tozmulligan@harmonycares.com
                    SubjectRemittance AdviceNote 46bf2e6451b485c12ea123d451b869f8
                    Message-ID<fc60b2ff-93a8-2094-f05d-6964fce35c29@familylaw-va.com>
                    DateWed, 04 Sep 2024 13:40:14 +0000
                    Return-Pathcontact@familylaw-va.com
                    X-MS-Exchange-Organization-ExpirationStartTime04 Sep 2024 13:40:16.6258 (UTC)
                    X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
                    X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
                    X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
                    X-MS-Exchange-Organization-Network-Message-Id caa5945c-3435-4e80-20e5-08dccce71c6e
                    X-EOPAttributedMessage0
                    X-EOPTenantAttributedMessage99eeee6a-7775-40c0-9774-191218ab647e:0
                    X-MS-Exchange-Organization-MessageDirectionalityIncoming
                    X-MS-PublicTrafficTypeEmail
                    X-MS-TrafficTypeDiagnostic CO1PEPF000042AE:EE_|CH0PR14MB7144:EE_|IA1PR14MB6320:EE_
                    X-MS-Exchange-Organization-AuthSource CO1PEPF000042AE.namprd03.prod.outlook.com
                    X-MS-Exchange-Organization-AuthAsAnonymous
                    X-MS-Office365-Filtering-Correlation-Idcaa5945c-3435-4e80-20e5-08dccce71c6e
                    X-MS-Exchange-Organization-SCL1
                    X-Microsoft-Antispam BCL:0;ARA:13230040|2092899012|3072899012|5062899012|12012899012|3092899012;
                    X-Forefront-Antispam-Report CIP:141.95.114.239;CTRY:FR;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:[127.0.0.1];PTR:ip239.ip-141-95-114.eu;CAT:NONE;SFS:(13230040)(2092899012)(3072899012)(5062899012)(12012899012)(3092899012);DIR:INB;
                    X-MS-Exchange-CrossTenant-OriginalArrivalTime04 Sep 2024 13:40:16.1571 (UTC)
                    X-MS-Exchange-CrossTenant-Network-Message-Idcaa5945c-3435-4e80-20e5-08dccce71c6e
                    X-MS-Exchange-CrossTenant-Id99eeee6a-7775-40c0-9774-191218ab647e
                    X-MS-Exchange-CrossTenant-AuthSource CO1PEPF000042AE.namprd03.prod.outlook.com
                    X-MS-Exchange-CrossTenant-AuthAsAnonymous
                    X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                    X-MS-Exchange-Transport-CrossTenantHeadersStampedCH0PR14MB7144
                    X-MS-Exchange-Transport-EndToEndLatency00:00:05.0863092
                    X-MS-Exchange-Processed-By-BccFoldering15.20.7918.023
                    X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
                    X-Microsoft-Antispam-Message-Info rO2IVAsIuvSptK5kZ5jdpmnIvUSWGRkDkQhUq1Okuu0VwFEdun8HZkSbWLu/onunqT6qTrW3rYiMfBZkBrSxut/j5gIqCjZF/Se+HywcqyLP5xmYRC6fjrfVx47mlGVNTzTHbqnnLGPyMviUK8ypiWLefKhADhw/GtzOUOpbmELz/w6eEI8mUCHkraGZvrtd7WNgmV+wPVnTpOMqRsbU5ovi+GyJJ2HGBRdHVcWCUcBmV0i4P0GNaGJpWSZgtr3sK7WSReiRftsXDyIFZSc8cTKQ/lJspoYP47gDaK0hcHyCmrScxVbJE5bPuPN6rOtJZn3z69+U6tmKuAjr5wGZZgyKcJJG3/hi4uHrMuX8wWLpN8oWzSKdIGqNzpz+47MvjBawG20Bo6lMvu1q26x+bs4uX/oIObG5bCjks2vsYiFckwvMMGl6VGgGC2jZEwCUGYt4ur6Pk1mileg5X+yd9aRD1f3cF6XEKW/sJs1nrzWyv0wQQa9/+1ewJjZsTQMW6cTvpw4B8/Dm09OOllJEdb5s6ZJlADOyWS/OryFp06kf0GXT3Wdnym+mCAIFyPOrkJJ487rKs3Ao5BraBwC41fUrsm66GxGf4QyxaPds8VAwrYgJwyi5eMLvLpR8E5mDmZoA/dMldaS/PyTJ7zBqJqO9UUOKwQ/XbIuxuAIKtsaRJiV7HGG2T4qSq+wx/OY6LEeHKsrJaiOAjyxK/VLPkLXUesCSZTgmCDef1PcjnOxfaYB3nfAgk1nV5jVtCW4uOS+Q8IKIsjVzLeurZc9+9gQkYYkYEB2zeqDhVmkGf8eTMqvDW1Gha2DvL0zIIzMIXK4hj9aqzlrFP80I5w/9ePkuSQnesVSogDD9+qS9nx9AL3OAUwcJtTzDjdAV9HpwVajjwHlq7fjbR0BQJJae2eA3hJha7jHv2Ayg26zgQhbZXR7GgWoC7E31NSnlyYFU9iXIQpzbARNhUm49SkPP7YKq4I/gUC4bYoNpF0RZU3tB8+LJmq5oy54RYfmceay+KrclR3ZvAGeV4F8BPVMFlQs9bcsPgqpWVVUf/VZiBOIu3KNCaPJnzZkGXLI/If9iHv5C6k6+YvZnIBDXdVSUrsB8WfBjFVioIZbwFl4CDAgZRFBTtXWTA7RN3pb4prijTYw0+qmwAl/aFGBsWEiBDM8z2NKiwCRFyjP2tZUNPFZJsmSY/XSzDn4k2D3JbkZJ53gjUk0Fih1zNtRFiNy4jZtEgwIHZquvMd7Oc3RCts+RlFad9mmy3ukq9RM6Pcpbtr33rOW2Eq2que2q4yYmKpNWx+/FxlRGxlEmeYl5etlNL9CjScf3Ay7IZGYemesYwOne9iAEW2x9DraOEvq/IAbYkNFfJU/UdxAobey7N5El/+8dna9dlxNCCscbYnUrW3WA/RWX5R4h2T7X31pk/THHhYNdUK+KIRbgkvOTgaf7DdxgQiSvfkNfyi7DDpJXjwpZdkQeYSLUJ/GI1N1RBEH4eK+u8/F/bDoL9fATG9Dn35g9TECvLEZ/bPpsbQZd8A1quJfOj/ih+ZTudGhjEekqXtzSVsBLGnyYuo4a8P9idvI1KYVRYJ37p8q8UZ28cXcfVsCR0kRcothxx3ZnS/kYL7qsDPYEOL1TXARZ1N1Z9+NEDhydSx7BViiNh+bKpjNNH228VFH8ormWY/q+p+sf1agnKAZmF4OUWU4HA+HDFzqZeip6XrhfQPfIGEl7
                    MIME-Version1.0

                    File Icon

                    Icon Hash:46070c0a8e0c67d6

                    Network Behavior

                    No network behavior found

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:1
                    Start time:18:19:16
                    Start date:01/10/2024
                    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Remittance AdviceNote 46bf2e6451b485c12ea123d451b869f8.eml"
                    Imagebase:0x420000
                    File size:34'446'744 bytes
                    MD5 hash:91A5292942864110ED734005B7E005C0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:2
                    Start time:18:19:23
                    Start date:01/10/2024
                    Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DB308FDE-8E79-4FFB-8803-EF8869D7AE6C" "96143240-E0D4-4601-9735-8501DCA8F7C5" "7980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                    Imagebase:0x7ff781a20000
                    File size:710'048 bytes
                    MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    Disassembly

                    No disassembly