Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8%2F2024.eml

Overview

General Information

Sample name:8%2F2024.eml
renamed because original name is a hash value
Original sample name:nested-Wire Payment Confirmation For Regulvar Ref Id%3AREF#b0ff2f583488c653ac56d02c035a7532 10%2F8%2F2024.eml
Analysis ID:1529328
MD5:f1d9aa0a7e19695d3cb6684b8de3972f
SHA1:ca92332154b90939d66e7657da6ea73341a7f6ce
SHA256:8f0f7cc7b59469f2d52412506a3a300e4c0f9b234a3790270bdfefd2383f237d
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 3688 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\8%2F2024.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 4304 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1D55B752-4244-43B1-BE01-D203F6C04C79" "B16C1186-B3B0-4192-A928-4576A74CD57C" "3688" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 3688, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.aadrm.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.aadrm.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.cortana.ai
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.office.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.onedrive.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://api.scheduler.
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://app.powerbi.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://augloop.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://canary.designerapp.
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cdn.entity.
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://clients.config.office.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://clients.config.office.net/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cortana.ai
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cortana.ai/api
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://cr.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://d.docs.live.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://dev.cortana.ai
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://devnull.onenote.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://directory.services.
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ecs.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://graph.windows.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://graph.windows.net/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://invites.office.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://lifecycle.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://login.windows.local
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://make.powerautomate.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://management.azure.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://management.azure.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://messaging.office.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://mss.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ncus.contentsync.
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://officeapps.live.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://onedrive.live.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://outlook.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://outlook.office.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://outlook.office365.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://outlook.office365.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://res.cdn.office.net
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://service.powerapps.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://settings.outlook.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://staging.cortana.ai
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://substrate.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://tasks.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://wus2.contentsync.
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 6360024D-D13B-4297-B422-8E1205F7983A.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/10@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241008T1513090159-3688.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\8%2F2024.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1D55B752-4244-43B1-BE01-D203F6C04C79" "B16C1186-B3B0-4192-A928-4576A74CD57C" "3688" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1D55B752-4244-43B1-BE01-D203F6C04C79" "B16C1186-B3B0-4192-A928-4576A74CD57C" "3688" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1529328 Sample: 8%2F2024.eml Startdate: 08/10/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 49 113 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe
https://entitlement.diagnostics.office.com0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:14436360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://designerapp.azurewebsites.net6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectors6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/query6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.net6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v16360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://cortana.ai6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/imports6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://cloudfiles.onenote.com/upload.aspx6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://canary.designerapp.6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
    		unknown
    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cr.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
    • URL Reputation: safe
    		unknown
    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
      		unknown
      https://messagebroker.mobile.m365.svc.cloud.microsoft6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
      • URL Reputation: safe
      		unknown
      https://otelrules.svc.static.microsoft6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        		unknown
        https://portal.office.com/account/?ref=ClientMeControl6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        • URL Reputation: safe
        		unknown
        https://clients.config.office.net/c2r/v1.0/DeltaAdvisory6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        • URL Reputation: safe
        		unknown
        https://edge.skype.com/registrar/prod6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        • URL Reputation: safe
        		unknown
        https://graph.ppe.windows.net6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        • URL Reputation: safe
        		unknown
        https://res.getmicrosoftkey.com/api/redemptionevents6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        • URL Reputation: safe
        		unknown
        https://powerlift-frontdesk.acompli.net6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        • URL Reputation: safe
        		unknown
        https://tasks.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        • URL Reputation: safe
        		unknown
        https://officeci.azurewebsites.net/api/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        • URL Reputation: safe
        		unknown
        https://sr.outlook.office.net/ws/speech/recognize/assistant/work6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        • URL Reputation: safe
        		unknown
        https://api.scheduler.6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
        • URL Reputation: safe
        		unknown
        https://my.microsoftpersonalcontent.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
          		unknown
          https://store.office.cn/addinstemplate6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
          • URL Reputation: safe
          		unknown
          https://api.aadrm.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
          • URL Reputation: safe
          		unknown
          https://edge.skype.com/rps6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
          • URL Reputation: safe
          		unknown
          https://outlook.office.com/autosuggest/api/v1/init?cvid=6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            		unknown
            https://globaldisco.crm.dynamics.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://messaging.engagement.office.com/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://dev0-api.acompli.net/autodetect6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://www.odwebp.svc.ms6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.diagnosticssdf.office.com/v2/feedback6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.powerbi.com/v1.0/myorg/groups6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://web.microsoftstream.com/video/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.addins.store.officeppe.com/addinstemplate6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://graph.windows.net6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://dataservice.o365filtering.com/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://officesetup.getmicrosoftkey.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://analysis.windows.net/powerbi/api6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://prod-global-autodetect.acompli.net/autodetect6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://substrate.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://outlook.office365.com/autodiscover/autodiscover.json6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://consent.config.office.com/consentcheckin/v1.0/consents6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
            • URL Reputation: safe
            		unknown
            https://d.docs.live.net6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
              		unknown
              https://safelinks.protection.outlook.com/api/GetPolicy6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
              • URL Reputation: safe
              		unknown
              https://ncus.contentsync.6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
              • URL Reputation: safe
              		unknown
              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                		unknown
                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                http://weather.service.msn.com/data.aspx6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://apis.live.net/v5.0/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://officepyservice.office.net/service.functionality6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://templatesmetadata.office.net/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://messaging.lifecycle.office.com/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://mss.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://pushchannel.1drv.ms6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://management.azure.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://outlook.office365.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://wus2.contentsync.6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://incidents.diagnostics.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://clients.config.office.net/user/v1.0/ios6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://make.powerautomate.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.addins.omex.office.net/api/addins/search6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://insertmedia.bing.office.net/odc/insertmedia6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://outlook.office365.com/api/v1.0/me/Activities6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.office.net6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://incidents.diagnosticssdf.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://asgsmsproxyapi.azurewebsites.net/6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://clients.config.office.net/user/v1.0/android/policies6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://entitlement.diagnostics.office.com6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown
                https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json6360024D-D13B-4297-B422-8E1205F7983A.0.drfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1529328
                Start date and time:2024-10-08 21:12:04 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 21s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:5
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:8%2F2024.eml
                renamed because original name is a hash value
                Original Sample Name:nested-Wire Payment Confirmation For Regulvar Ref Id%3AREF#b0ff2f583488c653ac56d02c035a7532 10%2F8%2F2024.eml
                Detection:CLEAN
                Classification:clean1.winEML@3/10@0/0
                Cookbook Comments:
                • Found application associated with file extension: .eml

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded IPs from analysis (whitelisted): 40.126.32.134, 20.190.160.17, 40.126.32.72, 40.126.32.68, 40.126.32.133, 40.126.32.140, 40.126.32.138, 40.126.32.76, 52.109.28.46, 52.113.194.132, 13.69.239.72
                • Excluded domains from analysis (whitelisted): ecs.office.com, prdv4a.aadg.msidentity.com, onedscolprdneu00.northeurope.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, login.msa.msidentity.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, uks-azsc-config.officeapps.live.com
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: 8%2F2024.eml

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):231348
                Entropy (8bit):4.388436317604034
                Encrypted:false
                SSDEEP:3072:MAg3mbgomiGu2wqoQcrt0FvuLQIpSc4nq/:MqJmi2tkdEc4nG
                MD5:DFE4480F5AFFB5DEA51E7C936B797D4E
                SHA1:96F720F7A2C3E774272137443DB79468734992FA
                SHA-256:DDD339052F87BE3509CE4E3B4BE9052B3ACBF7C490A21BB292E65E36A655AA5D
                SHA-512:2999080CD20F987363AB8EFE642EE69245A793F64583E110742F57B3C47C04F47EB1FF3FE62DA83574F3D259FA7B8ABEBDFE89776292D44AF95A471E0CCD293E
                Malicious:false
                Reputation:low
                Preview:TH02...... .p.P.........SM01X...,....U?.............IPM.Activity...........h...............h............H..hT.o.....A.=0...h...........H..h\alf ...AppD...h0...0.....o....h..zY...........h........_`.j...h].zY@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. h#........o...#h....8.........$h.......8....."h............'h..>...........1h..zY<.........0h....4.....j../h....h......jH..h....p...T.o...-h .........o...+h..zY....H.o................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6360024D-D13B-4297-B422-8E1205F7983A

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):177810
                Entropy (8bit):5.287200526922831
                Encrypted:false
                SSDEEP:1536:yi2XfRAqcbH41gwEwLe7HW8bM/o/NMdcAZl1p5ihs7EXXPEAD2Odavo:HCe7HW8bM/o/TXsk4o
                MD5:8F231575FAE188448D48CDB16A397FEB
                SHA1:2974214BB7EAEC9E315935C47B477F6B24C1DE6E
                SHA-256:4C383C9920F920125CEF36E0BF4F89C0B2E4BBCC026DEE5CCE63B717538AF1C6
                SHA-512:A027D8715AC79B5026D2B259372B12E10E90DCA2C44B7B6B1127E947361E99A94759CFCA69EF937996687E3BAC89FF066271B7883CD4247668ED8A024550EF87
                Malicious:false
                Reputation:low
                Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-08T19:13:12">.. Build: 16.0.18124.40132-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):0.04568135146424745
                Encrypted:false
                SSDEEP:3:GtlxtjleUn5CCJDlxtjleUn5CCJYljR9//8l1lvlll1lllwlvlllglbelDbllAlU:GtrsChrsCCt9X01PH4l942wU
                MD5:7B9D08B16E0200D60DB0D175FC944B1F
                SHA1:192BE14C9492A5EA5D8DDAA4209F4CCE6C7275F4
                SHA-256:847D79721907ABF627070AFAA00B77760FE12D2C325B84D9E10BA4E98BF33CC4
                SHA-512:E9DCC3CE290AFF33BB838600AD5D954486A176CAC66884A092F0FDDFDDE268407D3E5FFDEC4B9C616605CF4BA17BEC17FC1A655CBBD075C44CAF80B952C44B39
                Malicious:false
                Reputation:low
                Preview:..-......................iY.q......I?.(6........-......................iY.q......I?.(6..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:SQLite Write-Ahead Log, version 3007000
                Category:modified
                Size (bytes):49472
                Entropy (8bit):0.484570904211201
                Encrypted:false
                SSDEEP:48:PcQ1snFUll7DYMAzO8VFDYMwBO8VFDYML:/Kill4DjVGVjVGC
                MD5:F58538992915903251B0BB8799FF8C96
                SHA1:F76036DC69D532D4D843E0F7CB2537FBF8A25CE2
                SHA-256:2A67A6341BD20821DD33469DA220A63D7630D2DA4E272CEAAB5F68A1F2176479
                SHA-512:1BFB4ED676D7FA0527D33F88B97BB4A37C385DD54688A384B5835F48CF7F36CBF6A4A3BAD3D71062A82E110C1FD1CDB4B92D9A1071DCD1B17CDF700E4409D88A
                Malicious:false
                Reputation:low
                Preview:7....-.............I?.(d...E.............I?.(W..cg^..SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728414789652277000_BE208EEB-A87F-4302-9F65-3C1EC34B32AD.log

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:ASCII text, with very long lines (28763), with CRLF line terminators
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.16066590468591507
                Encrypted:false
                SSDEEP:1536:lj/IBOZmTdh7VKM9PDRYDDnBJ6fqAIbjISKgyfb1CNPUBv:6OAf7VXFEFU
                MD5:4787FEDF26B885346166671CE375EDF3
                SHA1:B59FD6010FB4BFBF595E029E5BC75B8C5F2D9AE6
                SHA-256:124DEDC07A662992D927808C8C63B845B993CA7F86F89A5CBD1CE8E216690CC0
                SHA-512:8C17C6CBAA5D2E6881828855AD3A8100E19DCA11991AC9F8FA49E13E6644E3CBD047C35EA70A45814DC7903B13846BAF51FAB12723D56509842F59459E3A1BE5
                Malicious:false
                Reputation:low
                Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/08/2024 19:13:09.706.OUTLOOK (0xE68).0x1134.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-08T19:13:09.706Z","Contract":"Office.System.Activity","Activity.CV":"644gvn+oAkOfZTwew0syrQ.4.9","Activity.Duration":11,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/08/2024 19:13:09.721.OUTLOOK (0xE68).0x1134.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-10-08T19:13:09.721Z","Contract":"Office.System.Activity","Activity.CV":"644gvn+oAkOfZTwew0syrQ.4.10","Activity.Duration":16932,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

                C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728414789653464700_BE208EEB-A87F-4302-9F65-3C1EC34B32AD.log

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                Malicious:false
                Reputation:high, very likely benign file
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241008T1513090159-3688.etl

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):110592
                Entropy (8bit):4.515704734482575
                Encrypted:false
                SSDEEP:768:CqYFMDk3+50ABURHVTXH4rFltaRk97IJj1g59Zo9tEv/xX1KZmmWrWiBbWMWegA9:dirj4rFE9tEv5XZgY
                MD5:D1A9072C258824E5CC0CACB3B42488E2
                SHA1:F5E17A10373F40EFEF926768ABE520383CB7F245
                SHA-256:E3CA6F8651AB3F5F7F7265C2A77DAF50B87B0F23BD00574392A011DBA2B6D6B7
                SHA-512:02232855753159E836D0356B7BC66250C135197E253F83C8BDE78D0EB92D22B27906A9FEB89F386BECB0F4D78FF1D2D20F2E43CCCF323F419F366CE5B96B4267
                Malicious:false
                Reputation:low
                Preview:............................................................................b...4...h...GY......................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`"n_............GY..............v.2._.O.U.T.L.O.O.K.:.e.6.8.:.0.d.f.7.7.7.9.4.0.7.2.8.4.2.c.3.8.e.8.6.b.0.a.1.1.f.b.9.2.4.e.c...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.0.8.T.1.5.1.3.0.9.0.1.5.9.-.3.6.8.8...e.t.l.............P.P.4...h...........................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):30
                Entropy (8bit):1.2389205950315936
                Encrypted:false
                SSDEEP:3:m9I/lt:m9Y
                MD5:1299482CD27DB58F8A34F03582B55D6E
                SHA1:0A6D6997B08F4DA8F8B380B3C1978831D8E44910
                SHA-256:CB3A90A1469F164E7C3DFB658AEF8C99BBAEB05C106FC90F31A054CC27FDDE78
                SHA-512:164CDA14D23071EF412702C48488BED06905416A5184467F780F9DE302168B1AA1EC59C2186AC7E70009DB8547105D7F5CAB12581B882849EF30C9A9540D6075
                Malicious:false
                Reputation:low
                Preview:.....X........................

                C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:Microsoft Outlook email folder (>=2003)
                Category:dropped
                Size (bytes):271360
                Entropy (8bit):3.296754307723675
                Encrypted:false
                SSDEEP:1536:ihF9ml5bDiPM1t0jMzg5Yw1vV24imIgKpA3dd88KIQW53jEpEHP4qQ10PAwryZtT:q8izMq1ZbIgKpqd3Sp9nip9
                MD5:39574AB8F87574B256ACCA18CC91B90F
                SHA1:D09C1B306B2044D42F7EEEDDCB6F3B9CB11361E3
                SHA-256:80037BA297D51B062622C4C4ECCAA94913C6B24FBA2F1B367C30C646A28199FD
                SHA-512:29945F4CCB118B51CB8963AAE2B84AA2A3F3B2985916517A068F6DA8FD6583B58F547D03F433076CD7DA2E6AAB0F920F3F09EC76C63AC89207F2169C837967AD
                Malicious:false
                Preview:!BDNO..FSM......\....Q..................[................@...........@...@...................................@...........................................................................$.......D......@...................................................................................................................................................................................................................................................................................................................................).>.M.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):4.514614545272465
                Encrypted:false
                SSDEEP:1536:VW53jEpEHP4qQ10PAwr1w/AYU8V2biqIgKpAQdd5DqtW53jEpEHP4qQ10PAwrq0/:jp9GrIgKpjdJcp9b
                MD5:C17CC768AD63F48BB8351949B4B05D07
                SHA1:2BB655EEF794215342491EDD8FD1CACFAAEA09E9
                SHA-256:C6C9325235EF46176CB9812D70B7EFB21C65ABEDD92EB763719A3ECC094E28DB
                SHA-512:F582D5FA5840DAC24FE5E9260115B2BE4B3511EA33C5BE9BE4CE10496D1964385421826F9E4FB9972FDC938DE3515AB4E710B403A2348E679E43AD882083C401
                Malicious:false
                Preview:i...C...q.......h....y........................#.!BDNO..FSM......\....Q..................[................@...........@...@...................................@...........................................................................$.......D......@...................................................................................................................................................................................................................................................................................................................................).>.M....y...........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:ASCII text, with very long lines (956), with CRLF line terminators
                Entropy (8bit):6.001441440770852
                TrID:
                  File name:8%2F2024.eml
                  File size:39'663 bytes
                  MD5:f1d9aa0a7e19695d3cb6684b8de3972f
                  SHA1:ca92332154b90939d66e7657da6ea73341a7f6ce
                  SHA256:8f0f7cc7b59469f2d52412506a3a300e4c0f9b234a3790270bdfefd2383f237d
                  SHA512:3f6e918c9bc7d865b6e3fee05580830710440b93cac895ef44d0fe68e9f76f3822d2718383a52c0b1946d9b0bc13dd169470d2d42c24dce5e9e857b23748bc7b
                  SSDEEP:768:MUWDDxFfqerpVP1RIR5ha/bCqXnyg+5E3YZKX/wE/y4v+jTtdAadbIG8H7BUoZ0:MUuDxFf3rHP/BvGE3YZKvwEo3bdboBK
                  TLSH:1B0308468E561EB5CF8131DB1CCC6EC718BF3FEAA43320903E6C9856444B5D99BC66CA
                  File Content Preview:X-MS-Exchange-Organization-InternalOrgSender: False..ARC-Seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=fail;.. b=fZ6sO3vMao8ap/afCuK32Z32V37LyjaEmpk2m5G5XSrjLdbDK9S7yxl0gEcUMio2kqmFLq9FG7jeyzz0ZmCdaZrKKiAwtrjc4qze+Z8K/8Y9BJZduOwRPm3X9R9

                  Static Mail

                  General

                  Subject:Wire Payment Confirmation For Regulvar Ref Id:REF#b0ff2f583488c653ac56d02c035a7532 10/8/2024
                  From:admin@ntofla.com
                  To:fmassicotte@regulvar.com
                  Cc:
                  BCC:
                  Date:Tue, 08 Oct 2024 18:29:10 +0000
                  Communications:
                    Attachments:

                      Headers

                      Key Value
                      X-MS-Exchange-Organization-InternalOrgSenderFalse
                      ARC-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=pK6wNax8ImG8UC7eRK1Ju6QeEXhbacB+qfpnhgwS2/43Ys7BpEguPdZv+EEk0itFih60kuvgjDWKTttoO9e+y9O8pbgybA4sbYU3SM4JFNJGPy9k/s6AEXo8fuoKedKHPC5fPTbHoT5jaHBBZNSwkzoYPxhJDL5UibrO5t493dNd3cfmX2wSLrlow6QWybbWR0212OuPcgE6a8S/qMP5EissFMiLb/V/zYSpa6FxaM4uRC1VCJiExvNTIchBlfr2FYvxEYoZw8eFzoGvilazabkrLfhdQT6k3mg2uNXr+m52T9BWsqtGgVbnkmgEP2DbsbNw6T6RkSkXlf0x0RubmA==
                      ARC-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=h0PnuRShD8eK7c9XQyy9aahnhqgNTLPvdtENV+xcClo=; b=Yyi1iy97kODH2yw94hAVDiR+MNzg2xRjuGBtojo0GpNFzRVw1uL14s+5CXc/vj1vRp+nGVjXtp3IJvIeRvfVEJ8eT4vngM1BDZFyGzzfpxM7f0tumkn4Us+xFDIS3BubVWw9e3Sj29UettDLhapgJK/Gqa26/GMg5xUOffd4O0e2a5UQywhYfQGjAHDdk5hBKKN71ZluYjIolNRXsvQOMb6lovN2BWiaUnIf+PNZpgb9TqitiHzZX/jqUupfzTKC0nNOPL+M03UTibEVjhiqxu0I4JT19WEMpNBXM23nNmCBjxXuxs6/pKreQrI+0wJYy1dOwmBiz+I1KH/skNmdyQ==
                      ARC-Authentication-Resultsi=1; mx.microsoft.com 1; spf=fail (sender ip is 172.81.130.100) smtp.rcpttodomain=regulvar.com smtp.mailfrom=ntofla.com; dmarc=none action=none header.from=ntofla.com; dkim=none (message not signed); arc=none (0)
                      Receivedfrom [127.0.0.1] (172.81.130.100) by CY4PEPF0000EE32.mail.protection.outlook.com (10.167.242.38) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8048.13 via Frontend Transport; Tue, 8 Oct 2024 18:29:11 +0000
                      Authentication-Resultsspf=fail (sender IP is 209.172.38.68) smtp.mailfrom=ntofla.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ntofla.com;
                      Received-SPFFail (protection.outlook.com: domain of ntofla.com does not designate 172.81.130.100 as permitted sender) receiver=protection.outlook.com; client-ip=172.81.130.100; helo=[127.0.0.1];
                      Authentication-Results-Originalmx-gate07-hz11.hornetsecurity.com 1; none
                      X-MS-Exchange-Authentication-Resultsspf=fail (sender IP is 172.81.130.100) smtp.mailfrom=ntofla.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ntofla.com;
                      Content-Typeapplication/octet-stream; name="Remittance_Regulvar.htm"
                      Content-Transfer-Encodingbase64
                      Content-Dispositionattachment; filename="Remittance_Regulvar.htm"
                      Fromadmin@ntofla.com
                      Tofmassicotte@regulvar.com
                      SubjectWire Payment Confirmation For Regulvar Ref Id:REF#b0ff2f583488c653ac56d02c035a7532 10/8/2024
                      Message-ID<be199ca0-65a6-9062-25ad-e2848014b1ae@ntofla.com>
                      DateTue, 08 Oct 2024 18:29:10 +0000
                      X-EOPAttributedMessage1
                      X-MS-TrafficTypeDiagnosticCY4PEPF0000EE32:EE_|DS0PR12MB7874:EE_|TO1PEPF00005347:EE_|YQBPR0101MB5564:EE_
                      X-MS-Office365-Filtering-Correlation-Id8683f517-e9e5-494a-b2d1-08dce7c72749
                      X-MS-Exchange-SenderADCheck1
                      X-MS-Exchange-AntiSpam-Relay0
                      X-Microsoft-Antispam-UntrustedBCL:0;ARA:13230040|9613299012|1800799024|376014|82310400026|36860700013|1513699012|3613699012;
                      X-Microsoft-Antispam-Message-Info-Originalf9nyw6ZMbveJRh2+c7D2u5fRl4woJZXyU1ClB4OD9IhNV37TzbGKUSaz3Vu3VpFaEEILdy81QvEO4DEPuDDgSoigd7eToOjNqaBJN4u/vg0msSmTNi8QQq6S7CpY7q0rX7HKyFeTmNH9GoFGgwb8gsddidWkLgTtFkwD6E4NQCavtFzMZ1EbN5uNUG6pKxMmypZtdcpkX/jx02oTcQvCTsssMbfEc05+Ae1DyXeQmTX4PgwJc10RR5SsCdr8naKGG181tXrJkZHBC4UBc5LIHDfIygY32JHANoeO6Bu0nbP9RHXjoudqH0hZhx5OqYMykhtq4TdRKhsOT1644Fdeer8rp8NvhN+A/rMKuR7SMLYHuZHr0MzYIBI2yoGnGvg426r++Tmy4VC1lFQNDa+hjZHBc47zHRoNtmH5fzxRUfhQOVfFmMRhu2UWWzxc7aHJo2w5e0tgZEBVvWxvVw6prbTIe9Je6p/cO/AY+X1l4bqDXFwgkAhVxzLBhjTDJP67RgDiyAoh8clSd0ThqJMKTzVFnGYsOH9u/+o1TeVUraq4OhVgZTn/NKQFEdpIyrPjWq6iFlcAISgAWuXBwggpYzhNoAdq+Be2at3YKy8KB1DYHP7xpbkCo6ZDj2SMJLpV/isRIRSEnYTCOvkCSyykiXiwLdwAcxQDm/H4dKWJ7LUFf5VwRf+Nd2b2MLwS74vHHMsi48pqnPD+rBKfNsiJQHzsxt3iVyaam43nozb+iknfiEm+yeNgyWpFpIPIexYCbttGRZJ8uOiOKQUerBfOIAVDuwz6PGnYsQVLWmhIFgKcm3lbOskY7ddMd9Dxi7QOAhW60n/zfobEsf7TJI/eQGPRqeNPDdX60YVrPndKzNs+VAlbHMEBJg5uEbpbTMn/F8tlailJq7PiIYL8Vc74Gmeir83ZlaxykkLaeMY6EEYBNt2s1mIh3lo6U1jkiBav26rx5xt7dHwzmc7eWQVkUKxgS7KzrcStG5SBlGvnVT2QiiNqHX43MUpKVc1dwvB9ddKZAcktzZuoM0qYa1dklUpyDFLXFKoxvRHP1Z2BDr7iA+Zq7tPUW8ACQS1zmVEBNA+gcb/ONE7IVXY1yMGFs9/71gqRE1FrD2Gbb9bEWIAZXTimeGvN5NiMASEUZ7I+
                      X-Forefront-Antispam-Report-UntrustedCIP:172.81.130.100;CTRY:GB;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:[127.0.0.1];PTR:ip-172-81-130-100.host;CAT:NONE;SFS:(13230040)(9613299012)(1800799024)(376014)(82310400026)(36860700013)(1513699012)(3613699012);DIR:OUT;SFP:1102;
                      X-MS-Exchange-Transport-CrossTenantHeadersStampedDS0PR12MB7874
                      X-antispameurope-body-digest72184d6c711803e45fa0f6460b73e9df
                      X-antispameurope-Connectmail-dm6nam11on2095.outbound.protection.outlook.com[40.107.223.95],TLS=1;EMIG=0
                      X-antispameurope-date1728412161
                      X-antispameurope-Digest83340718dc6c7e0e08086098bef1522b
                      X-antispameurope-disclaimerThis E-Mail was scanned by www.antispameurope.com E-Mailservice on mx-gate07-hz11 with 4XNPgM2WB5z3P3k3
                      X-antispameuropeINCOMING:
                      X-antispameurope-LES21860f1f27
                      X-antispameurope-MailarchivE-Mail archived by www.antispameurope.com for: fmassicotte@regulvar.com
                      X-antispameurope-Mailarchivtypeinbound
                      X-antispameurope-MSGID824d0e653a9cb81a9052b3a3f1926d1a-41f2f9a1a292235ce2f72ae5d53d3f27
                      X-antispameurope-orig8684d3a817c42096fdef8e9e4bb24c20
                      X-antispameurope-orig-hostmail-dm6nam11on2095.outbound.protection.outlook.com
                      X-antispameurope-orig-ip40.107.223.95
                      X-antispameurope-REASONNOREASON:HO
                      X-antispameurope-recipientfmassicotte@regulvar.com
                      X-antispameurope-senderadmin@ntofla.com
                      X-antispameurope-SpamstatusCLEAN
                      X-antispameurope-SPFRESULTNONE
                      X-antispameurope-VirusscanCLEAN
                      X-antispameurope-WC8:327:2:15013:0:181:0:0:0:0:0:0:0:0:0:3:0:60:75:60:0:0:0:0:0:52:0:0:0:0:0:0:0:0::0:1:0:0:0:0:0
                      X-hornetsecurity-identifier99aa06d3014798d86001c324468d497f
                      Return-Pathadmin@ntofla.com
                      X-MS-Exchange-Organization-OriginalArrivalTime08 Oct 2024 18:29:32.2792 (UTC)
                      X-MS-Exchange-Organization-ExpirationStartTime08 Oct 2024 18:29:32.3417 (UTC)
                      X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
                      X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
                      X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
                      X-MS-Exchange-Organization-Network-Message-Id8683f517-e9e5-494a-b2d1-08dce7c72749
                      X-MS-Exchange-Organization-OriginalClientIPAddress209.172.38.68
                      X-MS-Exchange-Organization-OriginalServerIPAddress10.167.241.7
                      X-EOPTenantAttributedMessage417fb5a3-bdeb-4e46-8a16-fa39afbc7d97:0
                      X-MS-Exchange-Organization-TargetResourceForestCANPRD01.PROD.OUTLOOK.COM
                      X-MS-Exchange-Organization-OrgEopForestCAN01
                      X-MS-Exchange-Organization-MessageDirectionalityIncoming
                      X-MS-Exchange-Organization-Id417fb5a3-bdeb-4e46-8a16-fa39afbc7d97
                      X-MS-Exchange-Organization-FFO-ServiceTagCAN01B
                      X-MS-Exchange-Organization-Cross-Premises-Headers-ProcessedTO1PEPF00005347.CANPRD01.PROD.OUTLOOK.COM
                      X-MS-Exchange-Transport-CrossTenantHeadersStrippedTO1PEPF00005347.CANPRD01.PROD.OUTLOOK.COM
                      X-MS-Exchange-Organization-ConnectingIP209.172.38.68
                      X-MS-Exchange-Organization-ConnectingEHLOhsmx01-hz11.hornetsecurity.com
                      X-MS-Exchange-Organization-AS-LastExternalIp209.172.38.68
                      X-MS-Exchange-Organization-IsBipIncludedAtpTenanttrue
                      X-MS-Exchange-Organization-IsAtpTenanttrue
                      X-MS-Exchange-Organization-Originating-CountryCA
                      X-MS-Exchange-Organization-OriginalEnvelopeRecipientsfmassicotte@regulvar.com
                      X-MS-Exchange-Organization-PtrDomainshsmx01-hz11.hornetsecurity.com
                      X-MS-Exchange-Organization-EhloAndPtrDomainhsmx01-hz11.hornetsecurity.com;hsmx01-hz11.hornetsecurity.com
                      X-MS-Exchange-Organization-MxPointsToUsfalse
                      X-MS-Exchange-Organization-RecipientDomainMxRecord-PFAFDregulvar.com#filter14206.zerospam.ca
                      X-MS-Exchange-Organization-RecipientDomainMxInforegulvar.com#HornetSecurity#filter14206.zerospam.ca
                      X-MS-Exchange-Organization-CompAuthResnone
                      X-MS-Exchange-Organization-CompAuthReason300
                      X-MS-Exchange-Organization-SpoofDetection-Frontdoor-DisplayDomainNamentofla.com
                      X-MS-Exchange-Organization-SenderRep-Score3
                      X-MS-Exchange-Organization-SenderRep-DataIpClassLargeGrayOther_GrayOther_SmallGrayBest
                      X-MS-Exchange-Organization-VBR-ClassGrayOther
                      X-MS-Exchange-Organization-HMATPModel-Spf4
                      X-MS-Exchange-Organization-HMATPModel-Recipient<PII:H100055(pbDAZaNpUQGSGG5xsNHJRPLMUFciu8r879TwRGFc24A=)>@regulvar.com
                      X-MS-Exchange-Organization-TransportTrafficTypeEmail
                      X-MS-Exchange-Organization-TransportTrafficSubType
                      X-MS-PublicTrafficTypeEmail
                      X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgressLSRV=YT4P288CA0055.CANP288.PROD.OUTLOOK.COM:TOTAL-FE=0.023|SMR-PEN=0.023(RENV=0.020);2024-10-08T18:29:32.366Z
                      X-MS-Exchange-Organization-MessageLatencySRV=YT4P288CA0055.CANP288.PROD.OUTLOOK.COM:TOTAL-FE=0.140|SMR-PEN=0.023(RENV=0.020)|SMS=0.117(SMSC=0.100)
                      X-MS-Exchange-Forest-ArrivalHubServerYQBPR0101MB5564.CANPRD01.PROD.OUTLOOK.COM
                      X-MS-Exchange-Organization-AuthSourceTO1PEPF00005347.CANPRD01.PROD.OUTLOOK.COM
                      X-MS-Exchange-Organization-AuthAsAnonymous
                      X-MS-Exchange-Organization-FromEntityHeaderInternet
                      X-MS-Exchange-Organization-MessageScopea93e9844-71e2-4971-a6de-a77b69e3e734
                      X-MS-Exchange-Forest-MessageScopea93e9844-71e2-4971-a6de-a77b69e3e734
                      X-MS-Exchange-Organization-Antispam-ProtocolFilterHub-ScanContextProtocolFilterHub:SmtpOnEndOfData;
                      X-MS-Office365-Filtering-Correlation-Id-Prvsd43e066b-6c9d-48df-093d-08dce7c71ac2
                      X-MS-Exchange-Organization-P2SenderPII<PII:H100055(fvf4ZMOozDjAb1ygF0fP5Zi12G03YX9lFbXZJnbAXm8=)>@ntofla.com
                      X-MS-Exchange-Organization-Antispam-AuthResults{"SpfDomain":"ntofla.com","SpfAuthStatus":"Fail","DkimAuthStatus":"None","DkimSubStatus":"None","DmarcAuthStatus":"None","DmarcAction":"None","ArcAuthStatus":"1","ArcSubStatus":"35"}
                      X-MS-Exchange-Organization-PFAHub-Total-Message-Size25231
                      X-MS-Exchange-Organization-OriginalSize25231
                      X-MS-Exchange-Organization-HygienePolicyPremium
                      X-MS-Exchange-Organization-ReplicationInfoReplicaId=c91b1c96-da04-da8b-cf52-5f27c7e7dc08;ReplicatingServerFqdn=YT3PR01MB5572.CANPRD01.PROD.OUTLOOK.COM
                      X-MS-Exchange-Forest-Languageen
                      X-MS-Exchange-Forest-IndexAgent-0AQ0CZW4BH/QBW3sNCiAgImluZGV4IjogMCwNCiAgIkF0dGFjaG1lbn RQcm9wZXJ0aWVzIjogew0KICAgICJleHRlbnNpb24iOiAiaHRtIiwN CiAgICAidXJscyI6IFtdLA0KICAgICJpbm5lckZpbGVzIjogW10sDQ ogICAgImRldGVjdGVkRm9ybWF0IjogImh0bWwiLA0KICAgICJuYW1l IjogIlJlbWl0dGFuY2VfUmVndWx2YXIiLA0KICAgICJ0eXBlIjogIl N0cmVhbUF0dGFjaG1lbnQiLA0KICAgICJmcm9tQ2FjaGUiOiBmYWxz ZQ0KICB9DQp9XQAB1AAAAA8AAAMfiwgAAAAAAAQARY4BbsIwDEVdKB TYpl3BJ+hpdoHgmtVbllSJEbsjl+KvRJoUWf7/P9u5d/wxK5/Dtxae VHIJrhM7PIHHN/OZLXkxQQCi2meqI7+d1rlQ3Krzj/1iSHLMpXJO6/ gSorrryGAbLbPFqWjimyb/4wJXmXOOfDGNuFpsGf/xtlzC4tfSPqW1 ahLlfFllvZ6/VLwdoW5L/Y72Rzqh6WmHh36gV8g9DYhQN7SFHOgd9U BHMHA62jyBnl6eMKIVOzT+Aa8teDUqAQAA
                      X-MS-Exchange-Forest-IndexAgent1 471
                      X-MS-Exchange-Forest-EmailMessageHash00000000,B07DCFD2
                      X-MS-Exchange-Organization-Antispam-PreContentFilter-PolicyLoadTimePSOSUB:6;PSOSUBLOAD:3;PSOSUBRUN:0;PSOSUBCOUNT:0;SMORES:7;SMORESLOAD:4;SMORESRUN:0;SMORESCOUNT:0;SAORES:40;SAORESLOAD:6;SLORES:9;APORES:7;APORESLOAD:5;RSORES:8;SLORESLOAD:6;
                      X-MS-Exchange-Organization-MessageFingerprint
                      X-MS-Exchange-Organization-AttachmentDetailsInfo-ChunkCount1
                      X-MS-Exchange-Organization-AttachmentDetailsInfo-0[{"ID":0,"FS":6784,"SHA256":"29950e5595fbb6c398c59b3f9c95296c1b89db12d1dba555b6671dfb08caf0f1","HFH":"KZUOVZX7tsOYxZs/nJUpbBuJ2xLR26VVtmcd+wjK8PE=","FE":"htm","AF":2560,"AFT":"{784:\"Remittance_Regulvar.htm\",789:\"html\"}","AFT2":"{784:\"Remittance_Regulvar.htm\",789:\"html\",2934:\"html\",2943:\"Markup\",2945:\"mGsgaW1Z6tAXbO84G09X8A==\"}"}]
                      X-MS-Exchange-Organization-FeatureTable{1010:0,1028:1096,1029:809,1030:809,1031:286,1032:1096,1033:809,1034:809,1035:286}
                      X-MS-Exchange-Organization-Antispam-PreContentFilter-ScanContextCategorizerOnSubmitted;CategorizerOnResolved;
                      X-MS-Exchange-Organization-AVScannedByV2true
                      X-MS-Exchange-Organization-AVScanCompletetrue
                      X-MS-Exchange-Organization-IsAnyAttachmentAtpSupportedtrue
                      X-MS-Exchange-Organization-ExternalRoutingTopologyAnalysis
                      X-MS-Exchange-Organization-Recipient-Limit-VerifiedTrue
                      X-MS-Exchange-Organization-TotalRecipientCount1
                      X-MS-Exchange-Organization-ExternalRecipientCount0
                      X-MS-Exchange-Organization-IsSingleRepresentativeTrue
                      X-MS-Exchange-Organization-ASDirectionalityType1
                      X-MS-Exchange-Organization-HVERecipientsForked1.0
                      X-MS-Exchange-Organization-SafeLinksPolicy-BIPBuilt-In Protection Policy
                      X-MS-Exchange-Organization-SafeAttachmentPolicy-BIPBuilt-In Protection Policy
                      X-MS-Exchange-Organization-SafeAttachmentPolicyBuilt-In Protection Policy
                      X-MS-Exchange-Organization-SafeLinksPolicyBuilt-In Protection Policy
                      X-MS-Exchange-Organization-SafeAttachmentPolicy-Enable1
                      X-MS-Exchange-Organization-SafeLinksPolicy-EnableSafeLinksForEmail1
                      X-MS-Exchange-Organization-SafeLinksPolicy-EnableSafeLinksForInternalSenders0
                      X-MS-Exchange-Organization-SenderRecipientCommunicationStateFC
                      X-MS-Exchange-Organization-Boomerang-VerdictNone
                      X-MS-Exchange-AtpMessagePropertiesSA|SL
                      X-MS-Exchange-Organization-CommunicationStateSummaryFC
                      X-MS-Exchange-Organization-FirstContactSummaryST=3;MRG=0;EXT=0;UN=1;ORCT=1;EV=1;FC=1;NESI=0;NES=0;ESTI=0;EST=0;INS=0;MP=0;UD=0;QE=0;ERR=0
                      X-MS-Exchange-Organization-IsKnownDomain0
                      X-MS-Exchange-Organization-SenderIntelligence-P2Sender{"stringProperties":{"Watermark":"2024/10/06","FirstSeen_30D":"2024-09-06","LastSeen_30D":"2024-10-04","AvgInbound_1D":"14.03","AvgOutbound_1D":"15.93","ListDisplayNames_30D":"","VolumeBucket":"","_STATUS":"Success"},"numericProperties":{"SenderFlagRatio":19185,"SenderForwardRatio":4796,"SenderMarkAsJunkRatio":0,"SenderMarkAsPhishRatio":0,"SenderMarkAsUnReadRatio":4796,"SenderMoveToJunkRatio":0,"SenderReadRatio":172662,"SenderReplyRatio":160671,"TDNA_050Count_AuthNotPassed":0,"TDNA_050_90Count_AuthNotPassed":0,"TDNA_100Count_AuthNotPassed":0,"TDNA_100_90Count_AuthNotPassed":0,"MaxLenZero_AuthNotPassed":42,"MaxMailsSent_AuthNotPassed":40,"TotalDaysSentLast135_AuthNotPassed":22,"TotalDaysSentLast14_AuthNotPassed":1,"TotalDaysSentLast180_AuthNotPassed":25,"TotalDaysSentLast7_AuthNotPassed":0,"TotalDaysSentLast90_AuthNotPassed":10,"TotalMailsSentLast135_AuthNotPassed":637,"TotalMailsSentLast14_AuthNotPassed":38,"TotalMailsSentLast180_AuthNotPassed":722,"TotalMailsSentLast7_AuthNotPassed":0,"TotalMailsSentLast90_AuthNotPassed":300,"MedianMailsSent_AuthNotPassed":0,"MedianMailsSentLast45Days_AuthNotPassed":0,"MedianMailsSentLast90Days_AuthNotPassed":0,"FirstQ_AuthNotPassed":0,"SecondQ_AuthNotPassed":0,"ThirdQ_AuthNotPassed":0,"AvgMailSentPerDayLast1Week_AuthNotPassed":0,"AvgMailSentPerDayLast2Week_AuthNotPassed":271,"AvgMailSentPerDayLast45Days_AuthNotPassed":467,"Avg_Rcpt_Ratio_AuthNotPassed":18402,"Bin1_Mailcount_Ratio_Avg_AuthNotPassed":128559,"Dkim_Mailcount_Ratio_Avg_AuthNotPassed":5111,"Ip_Mailcount_Ratio_Avg_AuthNotPassed":15612,"Spf_Mailcount_Ratio_Avg_AuthNotPassed":5270,"TotalEmailsSent_30D":899,"TotalDaysSent_30D":25,"SenderScore":709,"MoveToJunkCount":5,"P2SenderReputation":0,"TotalCountSum24h":568,"TotalCountSum1h":566,"EntityFound":1}}
                      X-MS-Exchange-Organization-SenderIntelligence-P2SenderOrgDomainTenantId{"stringProperties":{"_STATUS":"Success"},"numericProperties":{"EntityFound":1}}
                      X-MS-Exchange-Organization-EmailFingerprintsDetailsInfo-ChunkCount1
                      X-MS-Exchange-Organization-EmailFingerprintsDetailsInfo-0[{"Type":"VA5","Val":"VA5_2A193D7450831D38E7208EAFA4F9F7FDF3B170A43E7EBA5609C6A545E126E826","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA4","Val":"VA4_B2604C44D6DCE5F0C0B382CE8B421B693E4DAE3F435068A12DF8B6DD81D8742D","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA11","Val":"VA11_A877E853561877B1F2C12A4F8E1265E60A4372FE095CE67C343E9F8FDF808F57","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA10","Val":"VA10_2D2E3AD602C6602DC23D809D958D4EEB4F1D52BCAD8209E7A319CB82753037CC","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA2","Val":"VA2_FE2F0BCE42068CD8FF14754B3CE04229B11E81054EE983FEBBB3D9753BABB80B","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA1","Val":"VA1_EC6ED6F4346557133D5D75EE0ACE4140B6F85441341F46B927FDFFD9C942580C","Func":"SHA256","FF":0,"PD":{"SL":"1","Status":"Initialized"}},{"Type":"VA0","Val":"VA0_07AB0E294E474827E619881417C09150D92FB4F15BBFFD49C2021C29D62E8429","Func":"SHA256","FF":0,"PD":{}}]
                      X-MS-Exchange-Organization-FeatureTableV2{384:"ntofla.com",385:"ntofla.com",386:"True",387:"True",452:1,453:1,454:"BFE828F9@regulvar.com",455:"FC",501:4,502:7,503:4,504:7,506:4,507:4,508:"none",509:"ntofla.com",510:"ntofla.com",651:2,653:1,656:1,702:"None",703:"wire;confirm",743:1,744:1,749:"Latn",756:0,757:0,1010:0,1028:1096,1029:809,1030:809,1031:286,1032:1096,1033:809,1034:809,1035:286,1036:"32613",2501:0,2502:0,2503:0,2504:0,2505:0,2506:0,2507:0,2508:0,2509:0,2510:0,2511:0,2512:0,2513:0,2514:0,2515:0,2516:0,2517:0,2518:0,2519:0,2520:0,2521:0,2522:0,2523:0,2524:0,2525:0,2526:0,2527:0,2528:0,2529:0,2530:0,2531:0,2532:0,2533:0,2534:0,2535:0,2536:0,2537:0,2538:0,2539:0,2684:583,2685:494,2686:583,2687:494,2688:"2024-09-06",2689:"2024-10-04",2690:"14.03",2691:"15.93",2692:899,2693:25,2694:19185,2695:4796,2696:0,2697:0,2698:4796,2699:0,2700:172662,2701:160671,2702:0,2703:0,2704:0,2705:0,2706:42,2707:40,2708:22,2709:1,2710:25,2711:0,2712:10,2713:637,2714:38,2715:722,2716:0,2717:300,2718:0,2719:0,2720:0,2721:0,2722:0,2723:0,2724:0,2725:271,2726:467,2727:18402,2728:128559,2729:5111,2730:15612,2731:5270,2739:18223,2740:4556,2741:0,2742:0,2743:4556,2744:0,2745:164009,2746:152620,2747:24,2753:1,2757:1,2760:1,2924:"None",3084:"0",3099:1,3100:23}
                      X-MS-Exchange-Organization-Antispam-AnalystFeatureFilter-ScanContextCategorizerOnResolved;
                      X-MS-Exchange-Organization-Cross-Session-Cache01uADEANwAyAC4AMwA4AC4ANgA4AA==,cwBtAHQAcAAuAHIAYwBwAHQAVABvAEQAbwBtAGEAaQBuAA==|cgBlAGcAdQBsAHYAYQByAC4AYwBvAG0A,cwBtAHQAcAAuAE0AYQBpAGwARgByAG8AbQA=|bgB0AG8AZgBsAGEALgBjAG8AbQA=}{9,7,TgBvAG4AZQA=,,YQBjAHQAaQBvAG4A|TgBvAG4AZQA=,aABlAGEAZABlAHIALgBmAHIAbwBtAA==|bgB0AG8AZgBsAGEALgBjAG8AbQA=}{2,7,TgBvAG4AZQA=,bQBlAHMAcwBhAGcAZQAgAG4AbwB0ACAAcwBpAGcAbgBlAGQA}{12,8,RgBhAGkAbAA=,MwA1AA==};TR_QS=1;TR_SS=1;TR_SMAS=0;TR_TMAS=0;TR_UMAS=0;TR_TTU24H=0;TR_TT24H=0;TR_AFWR24H=0;TR_NDRSPMR24H=0;TR_R1H=464;TR_R24H=2394;TR_SPMR1H=0;TR_SPMR24H=0;TR_UP1R1H=0;TR_UP1R24H=0;TR_UP1SPMR24H=0;TR_UP2SPMR24H=0;TR_UP2R24H=0;TR_TTU24HT=0;TR_BCTR=False;TR_TIR1H=0;TR_TIR24H=0;TR_TISPMR1H=0;TR_TISPMR24H=0;TR_NDRR24H=6;P2BCLPreferredHMACCertId=108;SpfResult=4;DkimStatus=7;DkimSS=0;DmarcStatus=4;DmarcAction=0;ARCRES=v113500000000000000000000000000000000000000;ArcOverrideDmarcFailure=0;PReRC=1;ATCHC=1;IMGC_AE=0;PreCFAV2BFDone=1;IsAnyAttachmentAtpSupported=true;URLC_BE=0;URLC_BEC=0;URLC_AE=0;URLC_BA=0;FPR=;TDNA=;UCEPV_CFG=UrlCooc\;1\;0\;0\;0\;0;UCEPV_FP=-1;UCEPV=-1;MLF_DBG=M:UCEPV#-1#1;SLP=62df30d6-64da-4de7-8839-34ce1bb771eb;SLPC=F:101111;SAP=c3704bd7-6866-4856-9077-f64b96e134e3;SAPC=F:1|A:0;BIPLT=3;DIR=1;NoDLx=1;CGDLxSupported=1;CGPreCFA=1;GWS_Read=V2;GUIMP_SUM=R1S1;SRCS=FC;BR_V=None;PTRO=hornetsecurity.com;P2O=ntofla.com;P_CAUTH=none;P_CAUTHR=300;P_CAuthOSLookupFailed=false;P_CAuthOSLookupPerformed=true;P_OSCAUTH=none;P_OSCAUTHR=300;KWND=0;SIP2BCLAP=-1;SIP2BCLAF=-1;BULKF_DBG=P2SNA;BIMPPreCFATrainingCache=true;RT=SA|SL;BMEPV_CFG=BPMV3\;1\;9\;11\;11\;12;BMESV_CFG=BSMV3\;1\;5\;5\;5\;6;BMHPV_CFG=BMHPV3\;2\;10\;10\;10\;10;M3EPV_CFG=M3EPV3\;2\;8\;9\;10\;15;M3HPV_CFG=M3HPV3\;2\;20\;20\;20\;20;SRESV_CFG=SDREB\;1\;3\;3\;3\;4;M3ESV_CFG=M3ESV4\;3\;19\;20\;20\;20\;47\;50\;50\;50;M3HSV_CFG=M3HSV3\;2\;40\;40\;40\;40\;40\;40\;40\;40;BKEMB_CFG=EOPUnwantedBulkV2\;3\;20\;120\;200;CLEPV_CFG=M3ECV3\;2\;22\;30;SAEPV_CFG=SAEPV\;1\;TBD;SUEPV_CFG=SUEPV\;1\;TBD;UESELV3_CFG=UESELV3\;3\;TBD;UESELV_CFG=UESELV3\;3\;TBD
                      X-MS-Exchange-Organization-SCL-1
                      X-MS-Exchange-Organization-Antispam-TenantMessageRuleInfoScl:-1;RuleId:7a5dde8b-1697-40af-a6cb-b5683109a64d;
                      X-MS-Exchange-Organization-Rules-Execution-Log7a5dde8b-1697-40af-a6cb-b5683109a64d
                      X-MS-Exchange-Organization-RuleName-Execution-LogRGlzYWJsZSBaZXJvc3BhbSBmaXRsdGVyaW5n
                      X-MS-Exchange-Organization-Rules-Execution-History7a5dde8b-1697-40af-a6cb-b5683109a64d
                      MIME-Version1.0

                      File Icon

                      Icon Hash:46070c0a8e0c67d6

                      Network Behavior

                      No network behavior found

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:15:13:06
                      Start date:08/10/2024
                      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\8%2F2024.eml"
                      Imagebase:0x1b0000
                      File size:34'446'744 bytes
                      MD5 hash:91A5292942864110ED734005B7E005C0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:2
                      Start time:15:13:12
                      Start date:08/10/2024
                      Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1D55B752-4244-43B1-BE01-D203F6C04C79" "B16C1186-B3B0-4192-A928-4576A74CD57C" "3688" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                      Imagebase:0x7ff6d1290000
                      File size:710'048 bytes
                      MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      Disassembly

                      No disassembly