Edit tour

Windows Analysis Report
T20241002.0732 fromdannygirolomo.eml

Overview

General Information

Sample name:	T20241002.0732 fromdannygirolomo.eml
Analysis ID:	1527236
MD5:	d1bc527051354cf5aafc634dab8bd8e2
SHA1:	573fd6f64edc6e34e475482242f687fe720473a7
SHA256:	b60d5c217de302e6f9c32050e825bc5eb1d05c573febb4ecd412fb393b3758ce
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Outlook Security Settings Updated - Registry

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 5416 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\T20241002.0732 fromdannygirolomo.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 5668 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B2A630FC-E489-4A36-B3BF-21861D92706D" "06613B3F-7C3D-4BF7-9980-8A8B7D10123A" "5416" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Outlook Security Settings Updated - Registry

Source: Registry Key set

Author: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\XWO0DNB8\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.office.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://api.scheduler.
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://app.powerbi.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://augloop.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://canary.designerapp.
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cdn.entity.
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cortana.ai
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://cr.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://directory.services.
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ecs.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://graph.windows.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://invites.office.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://login.windows.local
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://management.azure.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://management.azure.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://mss.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://outlook.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://service.powerapps.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://substrate.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://tasks.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: clean1.winEML@3/18@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241006T1507390394-5416.etl

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\T20241002.0732 fromdannygirolomo.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B2A630FC-E489-4A36-B3BF-21861D92706D" "06613B3F-7C3D-4BF7-9980-8A8B7D10123A" "5416" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B2A630FC-E489-4A36-B3BF-21861D92706D" "06613B3F-7C3D-4BF7-9980-8A8B7D10123A" "5416" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: T20241002.0732 fromdannygirolomo.eml

Static file information: File size 4072991 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: T20241002.0732 fromdannygirolomo.eml	Binary or memory string: HYSrcMSZw9u4mPMmTnc+Z2tzO3a7tr+BLhBvmcIuX8zim/vtf8V/8lveBvir8TPhrKZ/h/498XeD
Source: T20241002.0732 fromdannygirolomo.eml	Binary or memory string: TcIylCVOMpRlfSSnpGUraKG6V/O3u/PZxicNiKlCeHqKcoxnGbUZRsrxcNZRjfeezdvK/vfyPeJN
Source: T20241002.0732 fromdannygirolomo.eml	Binary or memory string: 4udTP/bW1/pZ8kfzHXqafO99N9He97/O2u9klpouvMci7v7tvXVa/LTtraNN/Amjjj7TqXP/AE2t
Source: T20241002.0732 fromdannygirolomo.eml	Binary or memory string: X9f1+Z4l8UfEXwts449Q0rQtG2ync9vpUdlLBcSu5bfLCsXlxHAJwFBwMBCOKAPM/FH7QHgfSfB1
Source: T20241002.0732 fromdannygirolomo.eml	Binary or memory string: lFRkmfN53xZkfD9XD4bH4qc8fi/91y3BYetjsyxC973qeDwsKtZQfJJKpOMKcpRlFScl7vuesf8A
Source: T20241002.0732 fromdannygirolomo.eml	Binary or memory string: V4/CYHCP46GHyTIoxrScI03Ou/7NUsRVnThGFSrXc6tRRSnKViMz8PeE85xn1/NMvxeOxi+CviM8

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe
https://api.office.net	0%	URL Reputation	safe
https://incidents.diagnosticssdf.office.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/android/policies	0%	URL Reputation	safe
https://entitlement.diagnostics.office.com	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://designerapp.azurewebsites.net	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false		unknown
https://store.office.cn/addinstemplate	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false		unknown
https://globaldisco.crm.dynamics.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://mss.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://api.office.net	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnostics.office.com	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	582A8D1D-5EB0-4BE2-978A-5B981BE6AACA.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527236
Start date and time:	2024-10-06 21:06:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	T20241002.0732 fromdannygirolomo.eml
Detection:	CLEAN
Classification:	clean1.winEML@3/18@0/0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 184.28.90.27, 20.189.173.9
Excluded domains from analysis (whitelisted): ecs.office.com, onedscolprdwus08.westus.cloudapp.azure.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, weu-azsc-config.officeapps.live.com, s-0005-office.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, s-0005.s-msedge.net, config.officeapps.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: T20241002.0732 fromdannygirolomo.eml

Input	Output
URL: Email Model: jbxai	{ "brand":["Wit and Wisdom Sonoma"], "contains_trigger_text":false, "trigger_text":"", "prominent_button_name":"unknown", "text_input_field_labels":"unknown", "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "text":"Danny Girolomo Executive Chef Wit and Wisdom Sonoma 1325 Broadway Sonoma, California 95476 C: (517 304-7172)", "has_visible_qrcode":false}

URL: Email Model: jbxai

{
"brand":["Wit and Wisdom Sonoma"],
"contains_trigger_text":false,
"trigger_text":"",
"prominent_button_name":"unknown",
"text_input_field_labels":"unknown",
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"text":"Danny Girolomo Executive Chef Wit and Wisdom Sonoma 1325 Broadway Sonoma,
 California 95476 C: (517 304-7172)",
"has_visible_qrcode":false}

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.38293725466027
Encrypted:	false
SSDEEP:	1536:hgYLBBgsMDiilU9MIgsLPNcAz79ysQqt2c52tqoQFNrcm0FvXlcKyBtFtTLGtiVV:pvgfGlg4miGu25qoQ/rt0FvE9V5sWOo
MD5:	BA5B47FDD15D0E7481F8F6849829DCEE
SHA1:	45F9B61A53768F2FDCE882D8844FE778845C139F
SHA-256:	AFFDAFDB673B401A5E7569260035817498F6AC0A067CF2135D91EB3B8A957E3A
SHA-512:	EDFC502B2C5C827CC56791A750C8527F20C5BBF03DE961128F53E44424F4AA0309EF748D2F39556420B23210019B9E6F20C7A87457EEEA220594E3CFC599232F
Malicious:	false
Reputation:	low
Preview:	TH02...... .0...".......SM01X...,...`..."...........IPM.Activity...........h...............h............H..h...........m...h............H..h\jon ...ppDa...hh...0........h...............h........_`.j...h....@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. hr.............#h....8.........$h........8....."h@.............'h..............1h....<.........0h....4.....j../h....h......jH..h.m..p.........-h .......$.....+h/.......x................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

File type:	HTML document, ASCII text, with CRLF line terminators
Entropy (8bit):	5.978954318297272
TrID:	E-Mail message (Var. 4) (15504/1) 100.00%
File name:	T20241002.0732 fromdannygirolomo.eml
File size:	4'072'991 bytes
MD5:	d1bc527051354cf5aafc634dab8bd8e2
SHA1:	573fd6f64edc6e34e475482242f687fe720473a7
SHA256:	b60d5c217de302e6f9c32050e825bc5eb1d05c573febb4ecd412fb393b3758ce
SHA512:	5cc56c546839b8b4122d3adc860d4941b239bbb076d1b9049dcdd7993953bbb7763b7fb9013470b8f3859ac7a0a7ad901b1a79ad041ee0c165bd7b4d99b07a3e
SSDEEP:	49152:w4gwuMKsF/q7O2lvDXfknOCd8J7CE218Qj6xeKlwblfZ+VCi5toBsdM6xqMg:Z
TLSH:	501601385A032CF54E3BD3D561EDBE19AAA899F31580458D81EB3FC064F1E90EF56C26
File Content Preview:	To: Angelica Sanchez <angelica.sanchez@thelodgeatsonoma.com>,.. Araceli Bence <Araceli.Bence@thelodgeatsonoma.com>..Subject: Strange email..From: Danny Girolomo <Danny.Girolomo@witandwisdomsonoma.com>..MIME-Version: 1.0..Content-Type: multipart/mixed; bou

Subject:	Strange email
From:	Danny Girolomo <Danny.Girolomo@witandwisdomsonoma.com>
To:	Angelica Sanchez <angelica.sanchez@thelodgeatsonoma.com>, Araceli Bence <Araceli.Bence@thelodgeatsonoma.com>
Cc:
BCC:
Date:
Communications:	Danny GirolomoExecutive ChefWit and Wisdom Sonoma1325 BroadwaySonoma, California 95476C: (517 304-7172) Danny GirolomoExecutive ChefWit and Wisdom Sonoma1325 BroadwaySonoma, California 95476C: (517 304-7172) Danny GirolomoExecutive ChefWit and Wisdom Sonoma1325 BroadwaySonoma, California 95476C: (517 304-7172) Danny GirolomoExecutive ChefWit and Wisdom Sonoma1325 BroadwaySonoma, California 95476C: (517 304-7172) Danny GirolomoExecutive ChefWit and Wisdom Sonoma1325 BroadwaySonoma, California 95476C: (517 304-7172) Danny Girolomo Executive ChefWit and Wisdom Sonoma1325 BroadwaySonoma, California 95476C: (517 304-7172) Executive ChefWit and Wisdom Sonoma1325 BroadwaySonoma, California 95476C: (517 304-7172) Executive ChefWit and Wisdom Sonoma1325 BroadwaySonoma, California 95476C: (517 304-7172) Executive Chef Executive Chef Wit and Wisdom Sonoma Wit and Wisdom Sonoma 1325 Broadway 1325 Broadway 1325 Broadway Sonoma, California 95476 Sonoma, California 95476 Sonoma, California 95476 C: (517 304-7172) C: (517 304-7172) 517 304-7172
Attachments:	IMG_5068.jpeg IMG_5066.jpeg

Key	Value
To	Angelica Sanchez <angelica.sanchez@thelodgeatsonoma.com>, Araceli Bence <Araceli.Bence@thelodgeatsonoma.com>
Subject	Strange email
From	Danny Girolomo <Danny.Girolomo@witandwisdomsonoma.com>
MIME-Version	1.0
Content-Type	multipart/mixed; boundary="===============0683972376356919613=="

Target ID:	0
Start time:	15:07:37
Start date:	06/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\T20241002.0732 fromdannygirolomo.eml"
Imagebase:	0xe30000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	1
Start time:	15:07:43
Start date:	06/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B2A630FC-E489-4A36-B3BF-21861D92706D" "06613B3F-7C3D-4BF7-9980-8A8B7D10123A" "5416" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff6ecca0000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	JSON data
Category:	modified
Size (bytes):	521377
Entropy (8bit):	4.9084889265453135
Encrypted:	false
SSDEEP:	3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
MD5:	C37972CBD8748E2CA6DA205839B16444
SHA1:	9834B46ACF560146DD7EE9086DB6019FBAC13B4E
SHA-256:	D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
SHA-512:	02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
Category:	dropped
Size (bytes):	773040
Entropy (8bit):	6.55939673749297
Encrypted:	false
SSDEEP:	12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
MD5:	4296A064B917926682E7EED650D4A745
SHA1:	3953A6AA9100F652A6CA533C2E05895E52343718
SHA-256:	E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
SHA-512:	A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........... OS/29....(...`cmap.s.,.......pglyf..&....\|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N.........!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&..............&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q..................{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...p..

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177810
Entropy (8bit):	5.287219937132073
Encrypted:	false
SSDEEP:	1536:wi2XfRAqcbH41gwEwLe7HW8bM/o/NMdcAZl1p5ihs7EXXPEAD2Odavo:lCe7HW8bM/o/TXsk4o
MD5:	04123013782A4F5E33FFEE26B9EAE7D2
SHA1:	F6ABAD80DEC86A59FC65CC7A957CB5E687F43CDA
SHA-256:	713D96F38AC179A4E4E035DF98914926067AFFFAE6801E4C97C933E10B16D8FD
SHA-512:	A1A6C90F99AB1867396A260C0617E0600A85FFEFDD3F02A5836F583AD2F133EA9D585782624C26C3DB12A591A87E2DFBB0E84170E315F4403FC6F662ECD92A87
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-06T19:07:44">.. Build: 16.0.18124.40132-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2], baseline, precision 8, 1170x2532, components 3
Category:	dropped
Size (bytes):	2228593
Entropy (8bit):	7.848924616235838
Encrypted:	false
SSDEEP:	49152:l/ByNqW3tasfyBSExOWE39QIRpE8kB6oAVr2yuk4DwO:l/BykWtvyBSQE3rRp/oXyMDF
MD5:	556E2B134F2DC480AD9E3C4183550E10
SHA1:	77DF10F45080C16EE37AA0B6FD1C099300938798
SHA-256:	6F437871814EEA7EC5A810027671FEB082E000988511B23D5EACB1D9EC3C7DE5
SHA-512:	FFC5E6E7B12BA55515AD7CE8A9275E8BAC10FC28D049C115F4F24FAD4025C641A562CE02936088163DBF6729E8A142BDA337E851CAC6650786FE474B796C52F3
Malicious:	false
Reputation:	low
Preview:	......JFIF.....H.H......Exif..MM..............................J...........R.(...........i.........Z.......H.......H.....................................8Photoshop 3.0.8BIM........8BIM.%..................B~...(ICC_PROFILE.......appl....mntrRGB XYZ ............acspAPPL....APPL...........................-appl....8.G.m..Oz../................................desc.......0cprt...,...Pwtpt...\|....rXYZ........gXYZ........bXYZ........rTRC....... chad.......,bTRC....... gTRC....... mluc............enUS.........D.i.s.p.l.a.y. .P.3mluc............enUS...4.....C.o.p.y.r.i.g.h.t. .A.p.p.l.e. .I.n.c...,. .2.0.2.2XYZ ...............,XYZ ..........=.....XYZ ......J....7....XYZ ......(8.......para..........ff......Y.......[sf32.......B.......&.......................n........................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................................................................

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report T20241002.0732 fromdannygirolomo.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\582A8D1D-5EB0-4BE2-978A-5B981BE6AACA

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\XWO0DNB8\IMG_5066.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\XWO0DNB8\IMG_5066.jpeg:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\XWO0DNB8\IMG_5068.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\XWO0DNB8\IMG_5068.jpeg:Zone.Identifier

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728241661936867500_4E490702-800E-498D-B32F-DE140B2B3F63.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728241661937913600_4E490702-800E-498D-B32F-DE140B2B3F63.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241006T1507390394-5416.etl

C:\Users\user\AppData\Local\Temp\olkC4FC.tmp

C:\Users\user\AppData\Local\Temp\olkC52B.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
T20241002.0732 fromdannygirolomo.eml