Edit tour

Windows Analysis Report
URGENT!.msg

Overview

General Information

Sample name:	URGENT!.msg
Analysis ID:	1541001
MD5:	b2418f33d56c6a767508d498fddc2233
SHA1:	d7715a14a99cfff257326b45071a34f03d9b9b80
SHA256:	0e5bae0b51a1dc3f8c20ed7d1ec753196bb54db1ba89a92ab84e8a7fbc10c537
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 2448 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\URGENT!.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 1984 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E57EA739-0421-4E9E-AF6E-DD41E4C28D82" "D3100384-D013-45F2-8D93-A67BF73A0F16" "2448" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

OUTLOOK.EXE (PID: 5792 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding MD5: 91A5292942864110ED734005B7E005C0)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2448, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.aadrm.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.aadrm.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.cortana.ai
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.office.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.onedrive.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://api.scheduler.
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://app.powerbi.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://augloop.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://canary.designerapp.
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cdn.entity.
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://clients.config.office.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://clients.config.office.net/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cortana.ai
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cortana.ai/api
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://cr.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://d.docs.live.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://dev.cortana.ai
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://devnull.onenote.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://directory.services.
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ecs.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://graph.windows.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://graph.windows.net/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://invites.office.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://lifecycle.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://login.windows.local
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://make.powerautomate.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://management.azure.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://management.azure.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://messaging.office.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://mss.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ncus.contentsync.
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://officeapps.live.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://onedrive.live.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://outlook.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://outlook.office.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://outlook.office365.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://outlook.office365.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://res.cdn.office.net
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://service.powerapps.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://settings.outlook.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://staging.cortana.ai
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://substrate.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://tasks.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://wus2.contentsync.
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winMSG@4/12@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T0428270343-2448.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\URGENT!.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E57EA739-0421-4E9E-AF6E-DD41E4C28D82" "D3100384-D013-45F2-8D93-A67BF73A0F16" "2448" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E57EA739-0421-4E9E-AF6E-DD41E4C28D82" "D3100384-D013-45F2-8D93-A67BF73A0F16" "2448" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The email uses urgency to pressure the recipient into action

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe
https://api.office.net	0%	URL Reputation	safe
https://incidents.diagnosticssdf.office.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/android/policies	0%	URL Reputation	safe
https://entitlement.diagnostics.office.com	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://designerapp.azurewebsites.net	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://cortana.ai	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://cr.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false		unknown
https://store.office.cn/addinstemplate	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false		unknown
https://globaldisco.crm.dynamics.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://mss.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://management.azure.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://api.office.net	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnostics.office.com	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	4FF78675-AC0F-475D-9B4C-F4B02A69F80A.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541001
Start date and time:	2024-10-24 10:27:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	URGENT!.msg
Detection:	SUS
Classification:	sus21.winMSG@4/12@0/0
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 20.42.65.84
Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, onedscolprdeus02.eastus.cloudapp.azure.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: URGENT!.msg

Input	Output
URL: Model: claude-3-5-sonnet-20240620	{ "explanation": [ "The email uses urgency to pressure the recipient into action", "The sender's email address does not match the claimed identity", "The request for WhatsApp contact is unusual and suspicious for business communication" ], "phishing": true, "confidence": 9 }
Is this email content a phishing attempt? Please respond only in valid JSON format: Email content converted to JSON: { "date": "Mon, 21 Oct 2024 15:19:13 +0200", "subject": "URGENT!", "communications": [ "\nHello Paul \n\n\nI have a serious task for you that requires speed attention. Confirm your Whats-app number for further instructions.\n\nLooking forward to your quick response.\n\n\nBest Regards\nMark Bogard\n\n\n\n\n\n\n\n\nSent from Mobile\n" ], "from": "Mark Bogard <mmmhbbbles@gmail.com>", "to": "paul.benstead@familybsoc.co.uk" }
URL: Email Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "I have a serious task for you that requires speed attention. Confirm your Whats-app number for further instructions.", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false }

URL: Email Model: claude-3-haiku-20240307	```json { "brands": [ "Mark Bogard" ] }
	```json { "brands": [ "Mark Bogard" ] }

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.387061079650882
Encrypted:	false
SSDEEP:	1536:bWYLA1gscQ8OWB+Gjgs4DNcAz79ysQqt2Qt/PqoQcVrcm0FvcCiy2sU7+15L1hFt:xGgEg3gdmiGu2+qoQyrt0Fv3a27X2naL
MD5:	ED595472A7D02954D6C3F48987E66FC0
SHA1:	82751A0C8225990F278C31216C1E2CAE826A9EFB
SHA-256:	4F0E91ACECCB87004C873CA6C23DF10733A65FE0301F2F62FD091A080D869A39
SHA-512:	EB901F6EB60999C9E9894111BCE1C0804C4C71D1A02C827038068586D0C902F19C1287A4A463921CE60F83ABB791B0CEFF19F15141033845475C5C0747B0884D
Malicious:	false
Reputation:	low
Preview:	TH02...... .....%......SM01X...,.......%..........IPM.Activity...........h...............h............H..h\|........p.....h.........u..H..h\alf ...AppD...h`...0.........h.wg............h........_`.j...h.tg.@...I..v...h....H...8..j...0....T...............d.........2h...............k.............!h.............. h.RA..........#h....8.........$h.u......8....."h..............'h..............1h.wg.<.........0h....4.....j../h....h......jH..h.`..p...\|.....-h .............+h.vg.....p........... ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4FF78675-AC0F-475D-9B4C-F4B02A69F80A

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	178267
Entropy (8bit):	5.29028371902034
Encrypted:	false
SSDEEP:	1536:ui2XfRAqFbH41gwEwLe7HW8QM/o/NMdcAZl1p5ihs7EXXDEAD2Odago:YCe7HW8QM/o/TXgk9o
MD5:	A3E7E666A88D462EDF4FBD665566AD78
SHA1:	E6BD0212896F27365562573DEC6CDF43F08F0CA8
SHA-256:	3FEFD2F19435222B567E994363852F2D3255819147E24FE087E9F14E67F7B6AD
SHA-512:	C5111CBF9E481B2527D3F3C62B0F1E17216D386F35CD2EFF3D748D76398DD2E86E9292EB425FA9563DD7C3AEE3874412B1E4A3E4563CD80C5BE6E16841303103
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-24T08:28:30">.. Build: 16.0.18209.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04604146709717531
Encrypted:	false
SSDEEP:	3:GtlxtjldA+1qcAdT821lxtjldA+1qcAdT8NR9//8l1lvlll1lllwlvlllglbelDX:GtGd1Gs9X01PH4l942wU
MD5:	9D201026AB6D9B752B6B53A5FED99DA9
SHA1:	14832ADC006CB52B38436F164FD0D2CD41F72884
SHA-256:	F964E5A17170444D3A850E65E6B66EE7567686B360F96FEBCFF2AF2209734FD3
SHA-512:	7746E2A33567C7FC21AC1AC3FA4BD73A983927F480D542E19489518D7AC1718D4811D4E6661015109DF695C21F4BB94D19DA73DC63AF619FAE57DABDBCECA297
Malicious:	false
Reputation:	low
Preview:	..-.....................;..j........x.5.%\&..n...-.....................;..j........x.5.%\&..n.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.4841028626516444
Encrypted:	false
SSDEEP:	48:VOQ1AKUll7DYMyzO8VFDYMpIBO8VFDYML:vgll4ZjVG8ujVGC
MD5:	3BE22CEBD4E7BFD3F476711308FE4CED
SHA1:	2BB0C3AAEFDB57035DB137A7CE93E2D5E06F9CDE
SHA-256:	86217B680AA5912B3AD6B4FB670C7B397DAEF0CDFFE8B162E0B4DA89152A51DB
SHA-512:	D6B8C9D3A0F7B5BE32DBA5AC52A25EACC950A163B0FA3F68A0309EBC309304A1500C8A6FDE634BBEFC97C49CA15BB13FC1A9BAD0D8FF5B94DB3DAD5931A16670
Malicious:	false
Reputation:	low
Preview:	7....-..............x.5....7^K............x.5.f.d\...SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729758507580622700_CA15EEE5-14F6-4ACF-99A7-434F411CEC8F.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28766), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.16054797624835643
Encrypted:	false
SSDEEP:	1536:Rsw5W3hStlTesNtEJ3GiT0KLScxr6+pujpjfJcrWcgz2/tBe:+3hmlDNtUJp5t
MD5:	BED80C83B835A3852EF4F894D03B6A90
SHA1:	A90AAAC46612E64F98D5CA97F871ED1C1F9D768E
SHA-256:	670EB0BB40461E37E9EA817DCC8E9F11922FDC8E27B3BDDE4A0F2CED36597DA4
SHA-512:	05242F4691C3CA6B81ABF8D9C5F02B3C2AAA111B6B1190D3CAEE12628AB63CCC9DB1BADF645401103AD0F58F2F190B93EFBC9C3D3555D0134EBE6B3A0E0C59E0
Malicious:	false
Reputation:	low
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/24/2024 08:28:27.749.OUTLOOK (0x990).0xB70.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-24T08:28:27.749Z","Contract":"Office.System.Activity","Activity.CV":"5e4VyvYUz0qZp0NPQRzsjw.4.9","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/24/2024 08:28:27.780.OUTLOOK (0x990).0xB70.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-10-24T08:28:27.780Z","Contract":"Office.System.Activity","Activity.CV":"5e4VyvYUz0qZp0NPQRzsjw.4.10","Activity.Duration":12019,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVersi

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729758507582259300_CA15EEE5-14F6-4ACF-99A7-434F411CEC8F.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T0428270343-2448.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	4.509953714492741
Encrypted:	false
SSDEEP:	768:QO7kM8F5rrJw0zLOuR04OBl19M3exF9gXX+szjZOzaWHW9WnW2POsQ5e9:Ql0+04u/9M3en2XuBn9
MD5:	32255305876E9E768875B206FC0FCF0C
SHA1:	F1FD28E2329484B06CC020D67F921D1E5C1B007B
SHA-256:	F445432AC0796FE9CB48E51C4EF52C4F1D4022BC249CD49F4B367A908DBD33EA
SHA-512:	7A7C4E45A734671DDE022D51F96D5F6ACA593C4682B70318AED2AD8D4CAD02279B65E1A2E42DD572E5201B78E75D99AFE52AA1E59864C3F96D0216D47A02EE71
Malicious:	false
Reputation:	low
Preview:	............................................................................b...p............%..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0.^..................%..........v.2._.O.U.T.L.O.O.K.:.9.9.0.:.f.7.8.b.c.a.5.f.b.2.9.2.4.7.6.b.8.e.a.8.d.e.5.2.b.c.b.1.2.c.f.a...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.2.4.T.0.4.2.8.2.7.0.3.4.3.-.2.4.4.8...e.t.l.............P.P.p.......I....%..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T0429150102-5792.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.5750593370717842
Encrypted:	false
SSDEEP:	96:K1VHj0ePRLF0wYRLL8ZZLvs5y6em7fP3LXLkpCIsqs:AVLewwL8ZZLUojSfPzLeCIA
MD5:	663EA62BE1294FB39D8260E910893E69
SHA1:	20A89B0C77449EC06DFAFC9B682F38D35BA2B431
SHA-256:	969C6AAB89AA2EAF421B032F30A76730F5C94F17C99BC379E434362FB84D8D86
SHA-512:	1F332AE0CC086AC4DAD83EE667E4E935388673802727ED507956E0DE7D922D634C88E19D779E4E4F1AD92123D2A6604FA508BE933FCAAC301B2F31291E23D991
Malicious:	false
Preview:	............................................................................d...L.......i3\|..%..................eJ...........%..Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0.^.............i3\|..%..........v.2._.O.U.T.L.O.O.K.:.1.6.a.0.:.4.7.4.9.9.f.c.6.1.6.f.9.4.6.1.a.a.f.7.9.6.3.6.a.9.1.a.f.f.2.f.6...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.2.4.T.0.4.2.9.1.5.0.1.0.2.-.5.7.9.2...e.t.l...........P.P.L.......i3\|..%..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF01C8AD52D90FAB25.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.4077590469234969
Encrypted:	false
SSDEEP:	192:tSV76Hqm/zqcg/7++J/41UB1UAR2NgiXHWQOoqAbAWKNh/:tSVeHBWT7nJ/41UwkZiXHOoqM
MD5:	EA32FD55875F71A29E2555254C735F06
SHA1:	8902895B219DD396786C1F179E1FE3F05CD79AB0
SHA-256:	D70623AC69953D34F3396706826F4EB6DEE46445B59F0647DA28014EC4323AB3
SHA-512:	7BAAE514B991F1EC372A61D96B80A0E013F60B65C50FADDCA08D6675CAD51CC524657FA0689B8128F2872C357D453404B0118411D0273DE4A8F6C442471A8C14
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:Zj7llX:x7ll
MD5:	9DA48B7A6259690807374517AAA60B42
SHA1:	73FABB25100A02D3DFD178BE771B0DBE2AA53839
SHA-256:	43F0AA956829D3E7EF3EF1FF77015FC51A401D370744B358BCCCD16C0BE05797
SHA-512:	1DC796D6252239F94BB81B41CED6C4B095E97E817126CD80D2DCA9E674665A28684D389EE48E1ABD2F9616A062B96C7A88B9A1B8F8A670A49BA6C90051E5036B
Malicious:	false
Preview:	....nc........................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	1.2903960528104306
Encrypted:	false
SSDEEP:	768:4vQcgeEhof4VhBUeyJ2R+PcW21UHT47CGPOlBf78BUTIZTm:pBooHUzd7f7eNZ6
MD5:	3C6FE67C6BE675E0F787659086E013EB
SHA1:	38B0463FF8DD3281CE6129FE120B3C356864867D
SHA-256:	D93758A42907563AD8784FC2387A341B9E5CE536A53F6D326CA92931F881AFD7
SHA-512:	025BB8F2ABA480DF8690A9C97F280F8335713A62475A9EC54F6EAB343E49D41A3293593A54ADD283DDEBA9F5BED8D13866A5838E314A05E855E6A8A6BD89F48B
Malicious:	true
Preview:	!BDNV..(SM......\...>^...,......I.......U................@...........@...@...................................@...........................................................................$.......D.......$..............E...............H....................................................................................................................................................................................................................................................................................................t....&.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	1.2352027452643335
Encrypted:	false
SSDEEP:	384:AqHFYjTIXJYetOBxE7pS4MY4MtRTdBmCTuGNSF7ZG0yO4rSWRxg47G1Rcql:xFUTIZtKQ56xG8qBfB6d
MD5:	61053A815D008DC28ACFB52C7A2C5C7D
SHA1:	2A49C649A52E7F5075F11A841CCA79D7E1F58DD5
SHA-256:	DD79A78F51A719557343C2D1D6797B634F5AECA9275D81B8B959C09C633CFEFC
SHA-512:	8299AE5DFEF58AA753B81A3B5E6EB80B27C3B1E1FCC47018134CD6110F9E38AD63F4A8D2D55DF802A591E43D66BA8B89693569F39F0047F04BDF85B15D2F7ACD
Malicious:	true
Preview:	..a.C...e...........(....%....................#.!BDNV..(SM......\...>^...,......I.......U................@...........@...@...................................@...........................................................................$.......D.......$..............E...............H....................................................................................................................................................................................................................................................................................................t....&...............................l.h...l.......................................................8.h...,.h.......AAA.6AAAAAAAAAAA.LOA.AcAAAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL.AAAAAAAAAAA.LcA.A~ALA.AwALA.AxA.A.A.A.A,ALA.AJA.AJALAwApA.A.A.A.AJA.A.A.ALA.A.A.A.A.A.A.A.ALA.A.AJA.A.A.ALAUA.A.A.A.A.ALA8A.A.A.A.A.A.A\|AKA.A.A.A.A.AQA.A.A.A.A.A.A.A.A\|AKA.A.A.AYApA:A.A.A.A.A.AxA.A.A.A.A,A.A.A.AYApA:A.A.A.AQA.A:A.AJA.A.ALA.A.AJA.A.A.A.

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	3.750899797027712
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	URGENT!.msg
File size:	88'576 bytes
MD5:	b2418f33d56c6a767508d498fddc2233
SHA1:	d7715a14a99cfff257326b45071a34f03d9b9b80
SHA256:	0e5bae0b51a1dc3f8c20ed7d1ec753196bb54db1ba89a92ab84e8a7fbc10c537
SHA512:	11a4ffb37cabd7fa9f1f9dcfdee3cffc000c2dbeb30f6d777fe3be237726cc759c87bfe36685a43821ba539bd467081c2382b9cb19f16482d824ba33ce3c5506
SSDEEP:	1536:yGWNWNsjUnXGEOrHB+jjqi92xihsT18WzWxItih43pG7+Ia:ygsjEMhVVth5
TLSH:	61830F2535FA1119F2B79F318BE250A78937BD52AD24965F2185330E0A72941ECA3F3F
File Content Preview:	........................>.......................................................\|..............................................................................................................................................................................

Static Mail

General

Subject:	URGENT!
From:	Mark Bogard <mmmhbbbles@gmail.com>
To:	paul.benstead@familybsoc.co.uk
Cc:
BCC:
Date:	Mon, 21 Oct 2024 15:19:13 +0200
Communications:	Hello Paul I have a serious task for you that requires speed attention. Confirm your Whats-app number for further instructions. Looking forward to your quick response. Best Regards Mark Bogard Sent from Mobile
Attachments:

Headers

Key	Value
Received	by mail-yw1-f169.google.com with SMTP id 00721157ae682-6e59a9496f9so49512277b3.0
13	19:31 +0000
ARC-Seal	i=1; s=201903; d=dkim.mimecast.com; t=1729516767; a=rsa-sha256;
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed;
h=From	Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
ARC-Authentication-Results	i=1;
by CWXP265MB3029.GBRP265.PROD.OUTLOOK.COM (2603	10a6:400:c6::10) with
2024 13	19:28 +0000
(2603	10a6:10:230::26) with Microsoft SMTP Server (version=TLS1_2,
Transport; Mon, 21 Oct 2024 13	19:28 +0000
Authentication-Results	spf=softfail (sender IP is 91.220.42.227)
Received-SPF	SoftFail (protection.outlook.com: domain of transitioning
via Frontend Transport; Mon, 21 Oct 2024 13	19:27 +0000
h=from	from:reply-to:subject:subject:date:date:message-id:message-id:
to	to:cc:mime-version:mime-version:content-type:content-type:
spf=pass (relay.mimecast.com	domain of mmmhbbbles@gmail.com designates 209.85.128.169 as permitted sender) smtp.mailfrom=mmmhbbbles@gmail.com
Authentication-Results-Original	relay.mimecast.com; dkim=pass
(policy=none) header.from=gmail.com; spf=pass (relay.mimecast.com	domain of
uk-mta-321-4bFCP5v7OFGGKKQQVThf2Q-1; Mon, 21 Oct 2024 14	19:25 +0100
X-MC-Unique	4bFCP5v7OFGGKKQQVThf2Q-1
for <paul.benstead@familybsoc.co.uk>; Mon, 21 Oct 2024 06	19:25 -0700 (PDT)
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed;
h=to	subject:message-id:date:from:mime-version:x-gm-message-state
	from:to:cc:subject:date:message-id:reply-to;
X-Google-DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed;
X-Gm-Message-State	AOJu0YxQ1td4taWyhWr8xFgl1jgrtZz6oFVsTJDtoO3G1W2pZ6MF0ZE/
X-Google-Smtp-Source	AGHT+IEpcESzgGuw9yrD9W+TDp/qGm3g0BzsL4dw+s3wO/ADsNcDRrp/XarbIwaKwscjesyyNBoOC5cYi6rB6TDKBxQ=
X-Received	by 2002:a05:690c:6e0a:b0:6dd:b9d4:71a1 with SMTP id
06	19:23 -0700 (PDT)
MIME-Version	1.0
From	Mark Bogard <mmmhbbbles@gmail.com>
Date	Mon, 21 Oct 2024 06:19:13 -0700
Message-ID	<CAELMGbbtCa+RFptQe=P3aYGOebXBG5gH2O8N98pyPssXmn1Xug@mail.gmail.com>
Subject	URGENT!
To	paul.benstead@familybsoc.co.uk
X-Mimecast-Spam-Score	9
X-Mimecast-Impersonation-Protect	Policy=Default Impersonation Definition;Similar Internal Domain=false;Similar Monitored External Domain=false;Custom External Domain=false;Mimecast External Domain=false;Newly Observed Domain=false;Internal User Name=true;Custom Display Name List=false;Reply-to Address Mismatch=false;Targeted Threat Dictionary=false;Mimecast Threat Dictionary=false;Custom Threat Dictionary=false
X-Mimecast-Spam-Signature	yes
Content-Type	multipart/alternative; boundary="0000000000005913520624fc80ca"
Return-Path	mmmhbbbles@gmail.com
X-MS-Exchange-Organization-ExpirationStartTime	21 Oct 2024 13:19:27.8046
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	06f8141d-65ec-4b18-61f6-08dcf1d2fd7d
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	044ebd9e-a4d0-4dc3-a433-3f1e22de7974:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	DB5PEPF00014B8A:EE_\|CWXP265MB3029:EE_\|LNXP265MB2522:EE_
X-MS-Exchange-Organization-AuthSource	DB5PEPF00014B8A.eurprd02.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Office365-Filtering-Correlation-Id	06f8141d-65ec-4b18-61f6-08dcf1d2fd7d
X-MS-Exchange-AtpMessageProperties	SA
X-MS-Exchange-Organization-SCL	-1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|82310400026\|7093399012\|8096899003;
X-Forefront-Antispam-Report	CIP:91.220.42.227;CTRY:GB;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:eu-smtp-inbound-delivery-1.mimecast.com;PTR:eu-smtp-inbound-delivery-1.mimecast.com;CAT:NONE;SFS:(13230040)(82310400026)(7093399012)(8096899003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	21 Oct 2024 13:19:27.7109
X-MS-Exchange-CrossTenant-Network-Message-Id	06f8141d-65ec-4b18-61f6-08dcf1d2fd7d
X-MS-Exchange-CrossTenant-Id	044ebd9e-a4d0-4dc3-a433-3f1e22de7974
X-MS-Exchange-CrossTenant-AuthSource	DB5PEPF00014B8A.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped	CWXP265MB3029
X-MS-Exchange-Transport-EndToEndLatency	00:00:03.4743706
X-MS-Exchange-Processed-By-BccFoldering	15.20.8069.027
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	=?us-ascii?Q?NsHzxw0/597/9eZMLdMlvW0thaB0rNhzgiHDNG8coOJxJ4+qpgrhZUvNCpM6?=
date	Mon, 21 Oct 2024 15:19:13 +0200

File Icon


Icon Hash:	c4e1928eacb280a2

Target ID:	1
Start time:	04:28:24
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\URGENT!.msg"
Imagebase:	0x7c0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	04:28:29
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E57EA739-0421-4E9E-AF6E-DD41E4C28D82" "D3100384-D013-45F2-8D93-A67BF73A0F16" "2448" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff627690000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	04:29:14
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Imagebase:	0x7c0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report URGENT!.msg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4FF78675-AC0F-475D-9B4C-F4B02A69F80A

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729758507580622700_CA15EEE5-14F6-4ACF-99A7-434F411CEC8F.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729758507582259300_CA15EEE5-14F6-4ACF-99A7-434F411CEC8F.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T0428270343-2448.etl

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T0429150102-5792.etl

C:\Users\user\AppData\Local\Temp\~DF01C8AD52D90FAB25.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: OUTLOOK.EXEPID: 2448, Parent PID: 1028

General

Windows Analysis Report
URGENT!.msg