Edit tour

Windows Analysis Report
Seek Summon Counsel.eml

Overview

General Information

Sample name:	Seek Summon Counsel.eml
Analysis ID:	1528209
MD5:	82266fd56b3565b8df974af1232ff1c0
SHA1:	9881f80881a71b2729188750489d014607406c39
SHA256:	dc6ddf686f7d377ef972b73270ef666befff2e9d3ca44e9eb647f46a33246356
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected landing page (webpage, office document or email)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 7312 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Seek Summon Counsel.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7948 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D821EF8A-FE73-41D8-8296-EE8DC72CF22E" "3775079F-C351-49A2-937B-BBD365F088EC" "7312" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7312, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: Seek Summon Counsel.eml	String found in binary or memory: <http://www.twitter.com/grubhub>* equals www.twitter.com (Twitter)
Source: Seek Summon Counsel.eml	String found in binary or memory: <http://www.twitter.com/seamless>* equals www.twitter.com (Twitter)
Source: Seek Summon Counsel.eml	String found in binary or memory: =3D"http://www.facebook.com/grubhub" style=3D"color:rgb(17,85,204)" target= equals www.facebook.com (Facebook)
Source: Seek Summon Counsel.eml	String found in binary or memory: =3D"http://www.facebook.com/seamless" style=3D"color:rgb(17,85,204)" target= equals www.facebook.com (Facebook)
Source: ~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	String found in binary or memory: HYPERLINK "http://www.facebook.com/grubhub" \t "_blank" equals www.facebook.com (Facebook)
Source: ~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	String found in binary or memory: HYPERLINK "http://www.facebook.com/seamless" \t "_blank" equals www.facebook.com (Facebook)
Source: ~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	String found in binary or memory: HYPERLINK "http://www.twitter.com/grubhub" \t "_blank" equals www.twitter.com (Twitter)
Source: ~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	String found in binary or memory: HYPERLINK "http://www.twitter.com/seamless" \t "_blank" equals www.twitter.com (Twitter)
Source: Seek Summon Counsel.eml	String found in binary or memory: f=3D"http://www.twitter.com/grubhub" style=3D"color:rgb(17,85,204)" target= equals www.twitter.com (Twitter)
Source: Seek Summon Counsel.eml	String found in binary or memory: grubhub.com \| fb <http://www.facebook.com/grubhub> \| *tw equals www.facebook.com (Facebook)
Source: Seek Summon Counsel.eml	String found in binary or memory: seamless.com \| fb <http://www.facebook.com/seamless> \| *tw equals www.facebook.com (Facebook)
Source: Seek Summon Counsel.eml	String found in binary or memory: style=3D"color:rgb(17,85,204)"><a href=3D"http://www.twitter.com/seamless" = equals www.twitter.com (Twitter)

Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: Seek Summon Counsel.eml, ~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	String found in binary or memory: http://grubhub.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: Seek Summon Counsel.eml, ~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	String found in binary or memory: http://seamless.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 34229658306.ttf.0.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Seek Summon Counsel.eml, ~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	String found in binary or memory: http://www.twitter.com/grubhub
Source: Seek Summon Counsel.eml, ~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	String found in binary or memory: http://www.twitter.com/seamless
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.office.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://api.scheduler.
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://app.powerbi.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://augloop.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://canary.designerapp.
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cdn.entity.
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: ~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	String found in binary or memory: https://ci3.googleusercontent.com/mail-sig/AIorK4z9PouxfW1HVZLFP8RtpYtK59UAJWKhtSZNn0WFh5L3SDibY_HwE
Source: Seek Summon Counsel.eml	String found in binary or memory: https://ci3.googleusercontent.com/mail-sig/AIorK4z9PouxfW1HVZLFP8RtpYtK=
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cortana.ai
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://cr.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://directory.services.
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ecs.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://graph.windows.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://graph.windows.net/
Source: Seek Summon Counsel.eml	String found in binary or memory: https://groups.google.com/a/grubhub.com/group/secops/
Source: Seek Summon Counsel.eml	String found in binary or memory: https://groups.google.com/a/grubhub.com/group/secops/post
Source: Seek Summon Counsel.eml	String found in binary or memory: https://groups.google.com/a/grubhub.com/group/secops/subscribe
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://invites.office.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://login.windows.local
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://management.azure.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://management.azure.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://mss.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://outlook.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://service.powerapps.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://substrate.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: Seek Summon Counsel.eml	String found in binary or memory: https://support.google.com/a/grubhub.com/bin/topic.py?topic=25838
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://tasks.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winEML@3/18@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241007T1048380700-7312.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Seek Summon Counsel.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D821EF8A-FE73-41D8-8296-EE8DC72CF22E" "3775079F-C351-49A2-937B-BBD365F088EC" "7312" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D821EF8A-FE73-41D8-8296-EE8DC72CF22E" "3775079F-C351-49A2-937B-BBD365F088EC" "7312" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: PDF document	LLM: Page contains button: 'Click to View' Source: 'PDF document'
Source: PDF document	LLM: PDF document contains prominent button: 'click to view'

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: Seek Summon Counsel.eml

Binary or memory string: SxnOcVm1qdlOWhBHGD1FPa3BHT+VKh2nGKthgfShIp1GjNNsM9P0FPitxnp39BWjsB7fpTljAOcf

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe
https://api.office.net	0%	URL Reputation	safe
https://incidents.diagnosticssdf.office.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://support.google.com/a/grubhub.com/bin/topic.py?topic=25838	Seek Summon Counsel.eml	false		unknown
https://designerapp.azurewebsites.net	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false		unknown
https://store.office.cn/addinstemplate	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false		unknown
https://globaldisco.crm.dynamics.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://ci3.googleusercontent.com/mail-sig/AIorK4z9PouxfW1HVZLFP8RtpYtK59UAJWKhtSZNn0WFh5L3SDibY_HwE	~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	false		unknown
http://www.twitter.com/grubhub	Seek Summon Counsel.eml, ~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp.0.dr	false		unknown
https://www.odwebp.svc.ms	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://mss.office.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://groups.google.com/a/grubhub.com/group/secops/post	Seek Summon Counsel.eml	false		unknown
https://insertmedia.bing.office.net/odc/insertmedia	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://api.office.net	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	81B4339B-3C9A-4C05-9F98-81D50BE54F1B.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528209
Start date and time:	2024-10-07 16:47:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Seek Summon Counsel.eml
Detection:	SUS
Classification:	sus21.winEML@3/18@0/0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.76.243, 2.19.126.151, 2.19.126.160, 184.28.90.27, 20.189.173.18
Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, onedscolprdwus15.westus.cloudapp.azure.com, neu-azsc-000.roaming.officeapps.live.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, a1864.dscd.akamai.net, ecs.office.com, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.n
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Seek Summon Counsel.eml

Input	Output
URL: PDF document Model: jbxai	{ "brand":["PDF"], "contains_trigger_text":true, "trigger_text":"Click to View", "prominent_button_name":"Click to View", "text_input_field_labels":"unknown", "pdf_icon_visible":true, "has_visible_captcha":false, "has_urgent_text":false, "text":"Secure PDF Online Document", "has_visible_qrcode":false}

URL: Email Model: jbxai	{ "brand":["grubhub.com"], "contains_trigger_text":true, "trigger_text":"A copy of the complaint detailing the specific claims against you is attached for your review.", "prominent_button_name":"unknown", "text_input_field_labels":"unknown", "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":true, "text":"Legal received the below email and attachment. We have not taken any action on it as is looks like potential phishing to me. Please verify if this is a legitimate claim or an attempted attack. Thank you. Forwarded message From: flectycrtdservice via Legal Department <legal@grubhub.com> Date: Sat, Sep 28, 2024 at 2:36 PM Subject: Seek Summon Counsel To: <legal@grubhub.com> You are hereby notified of a legal action initiated against you in the Circuit Court. Case Details: Case Number: 2024-CD-710854739706 Court: Circuit Court Hearing Date: Wednesday, October 09, 2024 Hearing Time: 10:00 AM Attached Complaint: A copy of the complaint detailing the specific claims against you is attached for your review. Required Action: Please review the attached complaint carefully and respond within the specified timeframe. Important Notice: For accurate and complete case details, refer to the official court records. This email does not constitute legal advice. Sincerely, Court Clerk Michael A. Colmone Paralegal mcolmone@grubhub.com 111 W Washington St, Ste 2100 Chicago, IL 60602", "has_visible_qrcode":false}

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.393201587403581
Encrypted:	false
SSDEEP:	1536:xTYLW5gsGkKyeua0algsH5NcAz79ysQqt2uqz6qoQDHrcm0FvMZ+yZiBFyzNCYI2:KYgjbLgqmiGu2OqoQbrt0FvMKan/nXj
MD5:	00C84FF15634EF5F691EA8AF186487AD
SHA1:	000170C8B748314AB77DCB06997C25FCB548DB59
SHA-256:	4932A08C530C8FBF46627C2C09541D3019307B9B0F3D7A419005A77D2DFCA4D2
SHA-512:	A9A6EE8AB1449A3418C65392BA0C0F042D8011D6FCD473A3BE682BCED68C1326CAC10DED83C573D11D3B906492FCD60EE238D154FB24CFE90258026A78CDBC3F
Malicious:	false
Reputation:	low
Preview:	TH02...... .p.m.........SM01X...,.....a.............IPM.Activity...........h...............h............H..ht.o.......f&...h........ ...H..h\hub ...AppD...h...0....o....h..O...........h........_`"k...h...O@...I.Dw...h....H...8.'k...0....T...............d.........2h...............k..............!h.............. h.........o...#h....8.........$h .......8....."h R.......T....'h..t...........1h..O<.........0h....4....'k../h....h.....'kH..h....p...t.o...-h .........o...+hK..O....h.o................. ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

File type:	SMTP mail, ASCII text, with CRLF line terminators
Entropy (8bit):	6.035329577997282
TrID:
File name:	Seek Summon Counsel.eml
File size:	107'732 bytes
MD5:	82266fd56b3565b8df974af1232ff1c0
SHA1:	9881f80881a71b2729188750489d014607406c39
SHA256:	dc6ddf686f7d377ef972b73270ef666befff2e9d3ca44e9eb647f46a33246356
SHA512:	ca9a7418eb92ef1cd0f30436ecfda5cec95254221cd45d093f55adeabdd1b6afd08ae71542605505f0618fd2e0742b96c5459bf04d33df88af41443e8c7c23a9
SSDEEP:	1536:tfmN+ma6iPfSNvqqYCsNnIy7+ibSals6uNkISiIYqo41zdos7thLQ9PK:SikCq8Iy79maluXIYqoOzdvPss
TLSH:	B1B36C15C2F28EAB41930AAF145336D0F079F3A581EC81F7316EA763F7629BAC358245
File Content Preview:	Delivered-To: tjones@grubhub.com..Received: by 2002:a05:7413:2143:b0:125:9987:37b with SMTP id sc3csp1882240rdb;.. Mon, 30 Sep 2024 08:55:14 -0700 (PDT)..X-Forwarded-Encrypted: i=4; AJvYcCXf9SDuePRQVJSY3yVc/QFIoJPcbsR9hwJ+0Ut6f4wFV3bfk8DrsvSSZw0eZ7

Subject:	Fwd: Seek Summon Counsel
From:	Michael Colmone <mcolmone@grubhub.com>
To:	Phish <phish@grubhub.com>, Security Operations <secops@grubhub.com>
Cc:
BCC:
Date:	Mon, 30 Sep 2024 10:53:59 -0500
Communications:	Hello Sec Ops Team, Legal received the below email and attachment. We have not taken any action on it as is looks like potential phishing to me. Please verify if this is a legitimate claim or an attempted attack. Thank you. ---------- Forwarded message --------- From: flecitycrtdservice via Legal Department <legal@grubhub.com> Date: Sat, Sep 28, 2024 at 2:36PM Subject: Seek Summon Counsel To: <legal@grubhub.com> You are hereby notified of a legal action initiated against you in the Circuit Court. Case Details: Case Number: 2024-CD-710854739706 Court: Circuit Court Hearing Date: Wednessday, October 09, 2024 Hearing Time: 10:00 AM Attached Complaint: A copy of the complaint detailing the specific claims against you is attached for your review. Required Action: Please review the attached complaint carefully and respond within the specified timeframe. Important Notice: For accurate and complete case details, refer to the official court records. This email does not constitute legal advice. Sincerely, Court Clerk -- Michael A. Colmone Paralegal mcolmone@grubhub.com 111 W Washington St, Ste 2100 Chicago, IL 60602 grubhub.com \| fb <http://www.facebook.com/grubhub> \| tw <http://www.twitter.com/grubhub> seamless.com \| fb <http://www.facebook.com/seamless> \| tw <http://www.twitter.com/seamless> This transmission is intended only for the proper recipient(s). It is confidential and may contain attorney-client privileged information. If you are not the proper recipient, please notify the sender immediately and delete this message. Any unauthorized review, copying, or use of this message is prohibited.
Attachments:	8ID0109FLT24PO92CD-R.pdf

Key	Value
Delivered-To	tjones@grubhub.com
Received	from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41]) by mx.google.com with SMTPS id 38308e7fff4ca-2f9f3ef0815sor7221251fa.2.2024.09.30.08.54.37 for <secops@grubhub.com> (Google Transport Security); Mon, 30 Sep 2024 08:54:37 -0700 (PDT)
X-Forwarded-Encrypted	i=1; AJvYcCVSOhKpysI8WH9a4Toh54RGCp/ivkiZaJyjHs+hyJtn8KsVh2owpU1lj5xkLDlhaR8/BBN6CyM=@grubhub.com
X-Received	by 2002:a05:651c:b28:b0:2fa:bf53:1dac with SMTP id 38308e7fff4ca-2fabff71965mr14584011fa.9.1727711675773; Mon, 30 Sep 2024 08:54:35 -0700 (PDT)
ARC-Seal	i=1; a=rsa-sha256; t=1727711677; cv=none; d=google.com; s=arc-20240605; b=ititgjqEEwlsvgdyLxECQiaYFPUz6nKTMiopFpFU0OypB47cQL8v3chaogvh03YA9B wSt3qEkDxwxUuycoIxCpWrNUqAH/+d5IIY8QXq46lrknpVqR46CVqCBPZb5EL5gPqZHq Mg51aPrpj0P52u02CHTLA3sJtBXNO5TeV9on0+t6blKR4GPdclADCSdUCd9nC3MSVZ1X D7L3kNYPEPRJQBA4qBb4ooT+g9LsKsxvK810xTgs4kw+HXYXsa8gjt0zhnGkHObo+d17 FVJx/y4upt6W0EujDrr/0SIR2LMpaOQY5lKO90uas2rF6KNmxDHXQMd0r8h0Midh24H6 Cg8A==
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=5/qgTUR0N5uajaw3PXb/BKewzzo0jmHtKki9xLPaeoo=; fh=XO6FxDgPDMvPRxl4ZmjRVoNS/p9o7X+lwVIzsjHd3sY=; b=QgaIQX8CejmshB0hhANJeSbv+HEi7KnajnHea6ozQ5LwHfgk3Chtz3UphwHMrUw0hZ K5KjtZRo4FkMcjB6IaAUn/PfOrSV2eCkkpwvvtG8KrXFargAPeX0dpf3SW2wiHVa2+Tn 8T2liImYYdNB0ggWpKrYT9qLjlRbPiarpdcdyUe98ljnh9HCT4t/WUN0RDX5oKanAhR2 XRdqw4gBEX5B0hZC1cW11v5a+YHTeOMUlPDEkh/0PpU6MvKACBsNcDgVBSfdiYDExJsu TTJjnzyIs5oAjNYydwl8jlPA2vdLR3ixpiAX5NYg8lC1/Vq30BFeWG3lMB9el/x8pdvC YRjA==; dara=google.com
ARC-Authentication-Results	i=1; mx.google.com; dkim=pass header.i=@grubhub.com header.s=m1 header.b=AokM36Gk; spf=pass (google.com: domain of mcolmone@grubhub.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=mcolmone@grubhub.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=grubhub.com; dara=pass header.i=@grubhub.com
Return-Path	<secops+bncBDROVC5ET4LRBP4T5O3QMGQE6VLVXCI@grubhub.com>
Received-SPF	pass (google.com: domain of mcolmone@grubhub.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results	mx.google.com; dkim=pass header.i=@grubhub.com header.s=m1 header.b=qsPIVHeo; arc=pass (i=2 spf=pass spfdomain=grubhub.com dkim=pass dkdomain=grubhub.com dmarc=pass fromdomain=grubhub.com); spf=pass (google.com: domain of secops+bncbdrovc5et4lrbp4t5o3qmgqe6vlvxci@grubhub.com designates 209.85.220.69 as permitted sender) smtp.mailfrom=secops+bncBDROVC5ET4LRBP4T5O3QMGQE6VLVXCI@grubhub.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=grubhub.com; dara=pass header.i=@grubhub.com
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=grubhub.com; s=m1; t=1727711680; x=1728316480; darn=grubhub.com; h=list-unsubscribe:list-archive:list-help:list-post:list-id :mailing-list:precedence:reply-to:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5/qgTUR0N5uajaw3PXb/BKewzzo0jmHtKki9xLPaeoo=; b=qsPIVHeoWrKIf9wornYdRzD2XLwXPDydzvPWHWzS4W+iG9NwH22GawHrtLOrsDI5Ct xVqdljvxbN7wItFbavtNBrG985pNfijQI+p/E2Kf567EeDpy+u6vpFWUDAvJu1V29Xhg /r42KwkrKM3zeRmct4nzP4KaFhYDiPfnZNvZu9sE5SxE5wOe27NWrVZilu1urDCu0PqK SOuCZoxEHvKLsZYCf3mEuc1rQHGGaXsgAVON77FHZO7AmgpLfwakbv7lNSg43m9rnBym Mn8T441PpHseQ6fk5duh2vuUzH3P1qSPrR+gRsaillgBi7c0BMOX/qI0uwveuj+2/JN3 j+tQ==
X-Google-DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727711680; x=1728316480; h=list-unsubscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:to:subject :message-id:date:from:in-reply-to:references:mime-version :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5/qgTUR0N5uajaw3PXb/BKewzzo0jmHtKki9xLPaeoo=; b=vK82kUp+WZHdAr2P0VAsHvZmjDjrPiqsnZhqZPiU1N5GaKb2MdHw1EWulJonN6fLRr uRiFPnRN1mbUfAXwn4yUUv9Ej0R4XrXz7GWMI+0p6vTrq8DhrsYMPzNGI0kCBbn+WUe1 xG1ac6w/iyhuRl69xgd6W4n6dy1XRpkwmzso1nYcpm9QALjHkiI6xuB9PD7+ICPG9hPu Vv+MqOBpYnD1FhdAtIVfWY2t26N2/KY/XeXuk0Sz/oRmUqgSOpUTrz4nnDqeQmMxONGN s6m9tHa2dtcR7W/wxnmpgSILQ5tQrTjnnpIp2dHqG7+hUerv59sx1Z+f4lEG1pndJGqQ hh5g==
X-Gm-Message-State	AOJu0YyvwaX10DrtSWijkEUjPHi3dwVF/OjE6WcqAtHSSrfxACFLI1uk arIW8b6JVRMi3JHyuILW4mfpnoNITrx1GuyRMn83eo4uf/tCUAkJmzmgRHDqv+pr
X-Google-Smtp-Source	AGHT+IFLhPpNpu/2ugHrRbbqgkR1g7Y6RoBduAfo6nk6KitZ+JWVyvc/cxaQEdN9E3kRd/wJ866msA==
X-BeenThere	secops@grubhub.com
MIME-Version	1.0
References	<20240928193621.D7AFB65F5D86A6C8@165.140.158.32>
In-Reply-To	<20240928193621.D7AFB65F5D86A6C8@165.140.158.32>
From	Michael Colmone <mcolmone@grubhub.com>
Date	Mon, 30 Sep 2024 10:53:59 -0500
Message-ID	<CAG=h162T6W8hqyTe9-Mtx_BVKk6Jn4_ubF2JH2xD7Hf8WwBMcQ@mail.gmail.com>
Subject	Fwd: Seek Summon Counsel
To	Phish <phish@grubhub.com>, Security Operations <secops@grubhub.com>
Content-Type	multipart/mixed; boundary="000000000000b5bbfd0623583815"
X-Original-Sender	mcolmone@grubhub.com
X-Original-Authentication-Results	mx.google.com; dkim=pass header.i=@grubhub.com header.s=m1 header.b=AokM36Gk; spf=pass (google.com: domain of mcolmone@grubhub.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=mcolmone@grubhub.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=grubhub.com; dara=pass header.i=@grubhub.com
Reply-To	mcolmone@grubhub.com
Precedence	list
Mailing-list	list secops@grubhub.com; contact secops+owners@grubhub.com
List-ID	<secops.grubhub.com>
X-Spam-Checked-In-Group	secops@grubhub.com
X-Google-Group-Id	855217933231
List-Post	<https://groups.google.com/a/grubhub.com/group/secops/post>, <mailto:secops@grubhub.com>
List-Help	<https://support.google.com/a/grubhub.com/bin/topic.py?topic=25838>, <mailto:secops+help@grubhub.com>
List-Archive	<https://groups.google.com/a/grubhub.com/group/secops/>
List-Unsubscribe	<mailto:googlegroups-manage+855217933231+unsubscribe@googlegroups.com>, <https://groups.google.com/a/grubhub.com/group/secops/subscribe>

Target ID:	0
Start time:	10:48:34
Start date:	07/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Seek Summon Counsel.eml"
Imagebase:	0x210000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	10:48:46
Start date:	07/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D821EF8A-FE73-41D8-8296-EE8DC72CF22E" "3775079F-C351-49A2-937B-BBD365F088EC" "7312" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff7c4e90000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	TrueType Font data, 17 tables, 1st "GDEF", 15 names, Microsoft, language 0x409, Copyright 2011 Google Inc. All Rights Reserved.RobotoItalicGoogle:Roboto Italic:2016Roboto Itali
Category:	dropped
Size (bytes):	488896
Entropy (8bit):	6.808704879195895
Encrypted:	false
SSDEEP:	12288:t2TYXApKTDpIZRGqjzWbcid431cIirqdPhYXsNcNKBPRgHHLK+AYxm:t+GqjzgFqdPhYUeHL1AYU
MD5:	1649261191C67171BF022A87815C1F3A
SHA1:	1C0B63E30B65A3C3C196DF0A28F4460C2C0EDA4A
SHA-256:	1EC57AF951FAA27F2C4220E3D00DA193CC8989D106A5CA80E3167B8B806F7952
SHA-512:	034B99B85C35D7B54D7777ED68CA479D9C2CDAEDCB3CFBE36C51C0B7C406B8849B1C5E8A2AE4CF2C6E90C1DB10BA5EE948E587CE9B18BE1E8039A4A5DF180283
Malicious:	false
Reputation:	low
Preview:	............GDEF..."...x....GPOS.v'w......>0GSUB..q\|..H...-.OS/2...N.......`cmapg+.B..6.....cvt ;.&}..bD....fpgm...2..O.....gasp.......l....glyf.d....4...dhead..,+.......6hhea...f...T...$hmtx..e.......4.loca&...cD..4.maxp...m...x... nameA.p...r.....post.+....u.....prepyX...._t............=A._.<...........................s.................l.............................:.....;.P...v......./.......u.................3.......3.....f..................P.!....!....GOOG...........f.... ........:..... .....d.......................D.\|.....R.\.I.......9.[.....m.....X.k.g.L.....%.....4.4...\.j.\...\...\.5.\...\.r.\.m.\...\.@.\.....).......B.B.p...;.......A.......;...p...;.i.;.J.;.I.t...;...I.H.....;...;...;...;.W.s...;.W.k...;...).......c.........................0.....{.>.O.....f...9.1.\.....F.`.G...E...u.\...F. .../....... .../.....I. .m.F.\...i.F... .......C.G.[...n...................7...".....G.i.....?.P...........C.........?.....^.y.....V.L.....].........&.&...]...o.o...f.....x............

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177810
Entropy (8bit):	5.287226582848841
Encrypted:	false
SSDEEP:	1536:3i2XfRAqcbH41gwEwLe7HW8bM/o/NMdcAZl1p5ihs7EXXPEAD2Odavo:CCe7HW8bM/o/TXsk4o
MD5:	7BA4EBF63EBC8C714FB00E300FB93198
SHA1:	18440A9DDEDC7BEAFB3C8C2B116DE66053A44E8F
SHA-256:	8B0BB8B471CAAF3F5B8BE1BD6FB34118BC7DB8A101F450D336B6EB3AB940B0D4
SHA-512:	C368CBDA9F4256994206FC75D2E0C79CF68E3D28529AF912E745BDDC6980553600E967714EB29CFAA7915A73DA4B4A7D1B2D3195A833CF8A935C782D297BF6EC
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-07T14:48:44">.. Build: 16.0.18124.40132-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09304735440217722
Encrypted:	false
SSDEEP:	3:lSWFN3l/klslpEl9Xll:l9F8E+9
MD5:	D0DE7DB24F7B0C0FE636B34E253F1562
SHA1:	6EF2957FDEDDC3EB84974F136C22E39553287B80
SHA-256:	B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
SHA-512:	42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Seek Summon Counsel.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Roboto\34229658306.ttf

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\81B4339B-3C9A-4C05-9F98-81D50BE54F1B

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{A75EE814-F89A-4F57-9680-9A742F0E0BA7}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728312519609996100_EF6C2EBE-E544-4293-A906-C7B28AF8314A.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728312519614450100_EF6C2EBE-E544-4293-A906-C7B28AF8314A.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241007T1048380700-7312.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Seek Summon Counsel.eml