Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Your password reset request.msg

Overview

General Information

Sample name:Your password reset request.msg
Analysis ID:1545480
MD5:774bb17f172d1555f206333bc13bc46d
SHA1:2055ea620004a5a3e10d527877c104438c9c38dc
SHA256:a7aea16595c2856a9c0e351f8e9ace21cccad7b033307aac5e4043ec1e16975a
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 432 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Your password reset request.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 5936 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C232C781-5795-4501-8A4A-E57CDC2519C5" "28371F64-5FB7-41FC-A3D3-7C42D9EC6AFE" "432" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • OUTLOOK.EXE (PID: 5328 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding MD5: 91A5292942864110ED734005B7E005C0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 432, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.aadrm.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.aadrm.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.cortana.ai
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.office.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.onedrive.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://api.scheduler.
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://app.powerbi.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://augloop.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://canary.designerapp.
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cdn.entity.
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://clients.config.office.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://clients.config.office.net/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cortana.ai
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cortana.ai/api
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://cr.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://d.docs.live.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://dev.cortana.ai
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://devnull.onenote.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://directory.services.
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ecs.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://graph.windows.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://graph.windows.net/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://invites.office.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://lifecycle.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://login.windows.local
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://make.powerautomate.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://management.azure.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://management.azure.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://messaging.office.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://mss.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ncus.contentsync.
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://officeapps.live.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://onedrive.live.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://outlook.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://outlook.office.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://outlook.office365.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://outlook.office365.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://res.cdn.office.net
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: Your password reset request.msgString found in binary or memory: https://saturne-ia.com
Source: Your password reset request.msgString found in binary or memory: https://saturne-ia.com//images/saturne-banniere-mail.jpg
Source: ~WRS{11836D7D-E42C-41C7-9E72-19961F4B3D6D}.tmp.0.drString found in binary or memory: https://saturne-ia.com/images/saturne-banniere-mail.jpg
Source: Your password reset request.msg, ~WRS{11836D7D-E42C-41C7-9E72-19961F4B3D6D}.tmp.0.drString found in binary or memory: https://saturne-ia.com/reset-password/reset/V1RhGV6StLt8New4ev4asVwYc7kFaXaO3MXEjtt1
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://service.powerapps.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://settings.outlook.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://staging.cortana.ai
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://substrate.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://tasks.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: Your password reset request.msgString found in binary or memory: https://url.usb.m.mimecastprotect.com/s/EYiPCJEkpZFx1AOtVfQFyLwg0?domain=3D=
Source: Your password reset request.msg, ~WRS{11836D7D-E42C-41C7-9E72-19961F4B3D6D}.tmp.0.drString found in binary or memory: https://url.usb.m.mimecastprotect.com/s/EYiPCJEkpZFx1AOtVfQFyLwg0?domain=saturne-ia.com
Source: Your password reset request.msgString found in binary or memory: https://url.usb.m.mimecastprotect.com/s/RzopCKAlqOTLBMKsvhWF5iIPa?domain=3D=
Source: Your password reset request.msg, ~WRS{11836D7D-E42C-41C7-9E72-19961F4B3D6D}.tmp.0.drString found in binary or memory: https://url.usb.m.mimecastprotect.com/s/RzopCKAlqOTLBMKsvhWF5iIPa?domain=saturne-ia.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://wus2.contentsync.
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winMSG@4/18@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T1055410675-432.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Your password reset request.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C232C781-5795-4501-8A4A-E57CDC2519C5" "28371F64-5FB7-41FC-A3D3-7C42D9EC6AFE" "432" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C232C781-5795-4501-8A4A-E57CDC2519C5" "28371F64-5FB7-41FC-A3D3-7C42D9EC6AFE" "432" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1545480 Sample: Your password reset request.msg Startdate: 30/10/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 70 148 2->5         started        7 OUTLOOK.EXE 3 2 2->7         started        process3 9 ai.exe 5->9         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:14439C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
  • URL Reputation: safe
unknown
https://designerapp.azurewebsites.net9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectors9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
  • URL Reputation: safe
unknown
https://saturne-ia.com/images/saturne-banniere-mail.jpg~WRS{11836D7D-E42C-41C7-9E72-19961F4B3D6D}.tmp.0.drfalse
    		unknown
    https://api.addins.omex.office.net/appinfo/query9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://saturne-ia.com//images/saturne-banniere-mail.jpgYour password reset request.msgfalse
      		unknown
      https://clients.config.office.net/user/v1.0/tenantassociationkey9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
      • URL Reputation: safe
      		unknown
      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
      • URL Reputation: safe
      		unknown
      https://powerlift.acompli.net9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
      • URL Reputation: safe
      		unknown
      https://rpsticket.partnerservices.getmicrosoftkey.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
      • URL Reputation: safe
      		unknown
      https://lookup.onenote.com/lookup/geolocation/v19C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
      • URL Reputation: safe
      		unknown
      https://cortana.ai9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
      • URL Reputation: safe
      		unknown
      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
      • URL Reputation: safe
      		unknown
      https://api.powerbi.com/v1.0/myorg/imports9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
      • URL Reputation: safe
      		unknown
      https://notification.m365.svc.cloud.microsoft/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
        		unknown
        https://cloudfiles.onenote.com/upload.aspx9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
        • URL Reputation: safe
        		unknown
        https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
        • URL Reputation: safe
        		unknown
        https://entitlement.diagnosticssdf.office.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
        • URL Reputation: safe
        		unknown
        https://api.aadrm.com/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
        • URL Reputation: safe
        		unknown
        https://ofcrecsvcapi-int.azurewebsites.net/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
        • URL Reputation: safe
        		unknown
        https://canary.designerapp.9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
        • URL Reputation: safe
        		unknown
        https://ic3.teams.office.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
        • URL Reputation: safe
        		unknown
        https://www.yammer.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
        • URL Reputation: safe
        		unknown
        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
        • URL Reputation: safe
        		unknown
        https://api.microsoftstream.com/api/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
          		unknown
          https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
          • URL Reputation: safe
          		unknown
          https://cr.office.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
          • URL Reputation: safe
          		unknown
          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
            		unknown
            https://messagebroker.mobile.m365.svc.cloud.microsoft9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
            • URL Reputation: safe
            		unknown
            https://otelrules.svc.static.microsoft9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
              		unknown
              https://url.usb.m.mimecastprotect.com/s/EYiPCJEkpZFx1AOtVfQFyLwg0?domain=saturne-ia.comYour password reset request.msg, ~WRS{11836D7D-E42C-41C7-9E72-19961F4B3D6D}.tmp.0.drfalse
                		unknown
                https://portal.office.com/account/?ref=ClientMeControl9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                • URL Reputation: safe
                		unknown
                https://clients.config.office.net/c2r/v1.0/DeltaAdvisory9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                • URL Reputation: safe
                		unknown
                https://edge.skype.com/registrar/prod9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                • URL Reputation: safe
                		unknown
                https://graph.ppe.windows.net9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                • URL Reputation: safe
                		unknown
                https://res.getmicrosoftkey.com/api/redemptionevents9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                • URL Reputation: safe
                		unknown
                https://powerlift-frontdesk.acompli.net9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                • URL Reputation: safe
                		unknown
                https://tasks.office.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                • URL Reputation: safe
                		unknown
                https://officeci.azurewebsites.net/api/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                • URL Reputation: safe
                		unknown
                https://sr.outlook.office.net/ws/speech/recognize/assistant/work9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.scheduler.9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                • URL Reputation: safe
                		unknown
                https://my.microsoftpersonalcontent.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                  		unknown
                  https://store.office.cn/addinstemplate9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.aadrm.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://edge.skype.com/rps9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://outlook.office.com/autosuggest/api/v1/init?cvid=9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                    		unknown
                    https://globaldisco.crm.dynamics.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://messaging.engagement.office.com/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://dev0-api.acompli.net/autodetect9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://saturne-ia.com/reset-password/reset/V1RhGV6StLt8New4ev4asVwYc7kFaXaO3MXEjtt1Your password reset request.msg, ~WRS{11836D7D-E42C-41C7-9E72-19961F4B3D6D}.tmp.0.drfalse
                      		unknown
                      https://www.odwebp.svc.ms9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.diagnosticssdf.office.com/v2/feedback9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.powerbi.com/v1.0/myorg/groups9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://web.microsoftstream.com/video/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.addins.store.officeppe.com/addinstemplate9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://graph.windows.net9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://dataservice.o365filtering.com/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://officesetup.getmicrosoftkey.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://analysis.windows.net/powerbi/api9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://prod-global-autodetect.acompli.net/autodetect9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://substrate.office.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://url.usb.m.mimecastprotect.com/s/RzopCKAlqOTLBMKsvhWF5iIPa?domain=saturne-ia.comYour password reset request.msg, ~WRS{11836D7D-E42C-41C7-9E72-19961F4B3D6D}.tmp.0.drfalse
                        		unknown
                        https://outlook.office365.com/autodiscover/autodiscover.json9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://consent.config.office.com/consentcheckin/v1.0/consents9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://notification.m365.svc.cloud.microsoft/PushNotifications.Register9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                          		unknown
                          https://d.docs.live.net9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                            		unknown
                            https://safelinks.protection.outlook.com/api/GetPolicy9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://ncus.contentsync.9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              		unknown
                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://weather.service.msn.com/data.aspx9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://apis.live.net/v5.0/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://officepyservice.office.net/service.functionality9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://templatesmetadata.office.net/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://messaging.lifecycle.office.com/9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://mss.office.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://pushchannel.1drv.ms9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://management.azure.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://outlook.office365.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://wus2.contentsync.9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://incidents.diagnostics.office.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://saturne-ia.comYour password reset request.msgfalse
                                		unknown
                                https://clients.config.office.net/user/v1.0/ios9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://make.powerautomate.com9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.addins.omex.office.net/api/addins/search9C8008B2-A4D7-492F-92EB-5E27D1CE00B4.0.drfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                No contacted IP infos

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1545480
                                Start date and time:2024-10-30 15:54:38 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 31s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:7
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Your password reset request.msg
                                Detection:CLEAN
                                Classification:clean1.winMSG@4/18@0/0
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .msg

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.109.89.19, 2.19.126.160, 2.19.126.151, 52.113.194.132, 20.189.173.14
                                • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, weu-azsc-000.roaming.officeapps.live.com, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, ocsp.digicert.com, login.live.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, a1864.dscd.akamai.net, ecs.office.com, client.wns.windows.com, onedscolprdwus13.westus.cloudapp.azure.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: Your password reset request.msg

                                Simulations

                                Behavior and APIs

                                No simulations

                                LLM Input / Output

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):231348
                                Entropy (8bit):4.381216150850699
                                Encrypted:false
                                SSDEEP:3072:B34gwVRsgfmiGu2hqoQirt0FvYpVDpFBtbX:B3k/Hmi2EWVDpFBJX
                                MD5:D3A0040E37333220CE9B5045F48A5CF4
                                SHA1:D03CAC08821AF802344CA21DE5A86D57AD5C83CF
                                SHA-256:B0BE9B682E2A4D69BCD5C6A7D27662D45377D52200DA4A4A32954695F17BF454
                                SHA-512:8305F99951CB84AE12625F2150A21BDF2667ACD8AEA59D48F28FF958FCCEA22D19323B5C199C0781ABA8FC4985F08BA221340A5D71253C332B9E86A068A50C11
                                Malicious:false
                                Reputation:low
                                Preview:TH02...... ..Z...*......SM01X...,...`4...*..........IPM.Activity...........h...............h............H..h.......{......h............H..h\eng ...r\Ap...hp...0... ......h..h...........h........_`.k...h...h@...I.6w...h....H...8..k...0....T...............d.........2h...............k1.1...........!h.............. hN6.R....8.....#h....8.........$h........8....."h.............'h..............1h..h<.........0h....4.....k../h....h......kH..h....p........-h .......d.....+hS..h........................ ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                Category:dropped
                                Size (bytes):322260
                                Entropy (8bit):4.000299760592446
                                Encrypted:false
                                SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
                                MD5:CC90D669144261B198DEAD45AA266572
                                SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
                                SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
                                SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:ASCII text, with no line terminators
                                Category:modified
                                Size (bytes):10
                                Entropy (8bit):2.1219280948873624
                                Encrypted:false
                                SSDEEP:3:LPN:TN
                                MD5:25CDEB3F0385AD315FA4503EE1AF39B9
                                SHA1:4E4E3DB810A8B6F3B60988CF0FA830B4FBC6709C
                                SHA-256:2A04BC3AD7F1B090516B938893B4EF29D5EC765936159A1F598FB4064E376949
                                SHA-512:E238B54060B2F23C4565AD47543BB0E01B5D0796F68D9BD62CC29F2B277D7D84164DEC294119DD4B94D472C14F6D76EFAE57C935441EC5594057F2795531F8C4
                                Malicious:false
                                Reputation:low
                                Preview:1730300150

                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9C8008B2-A4D7-492F-92EB-5E27D1CE00B4

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):180288
                                Entropy (8bit):5.291012705889013
                                Encrypted:false
                                SSDEEP:1536:Gi2XfRAqFbH41gLEwLe7HW8QM/o/NMOcAZl1p5ihs7EXXOEADpOoagYdGVF8S7CC:wPe7HW8QM/o/aXbbkx
                                MD5:9027CD8E1C88C52511C5224125507417
                                SHA1:67A53419E8EDA7A491D20111D494530F102A6F50
                                SHA-256:5A3BBA9FE3B7ED0969ABA9214D846980736E01CCFD526C5467EFFA73D66165F6
                                SHA-512:6358B2E1C6932DDEEA336A8C247CDEA937445107C215D3110688F553879589CEBA267E8B79D3B74E8A59960ACF044566E92806C16F78E091EA59ECCD1D93FF1E
                                Malicious:false
                                Reputation:low
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-30T14:55:46">.. Build: 16.0.18222.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                                Category:dropped
                                Size (bytes):4096
                                Entropy (8bit):0.09304735440217722
                                Encrypted:false
                                SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
                                MD5:D0DE7DB24F7B0C0FE636B34E253F1562
                                SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
                                SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
                                SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:SQLite Rollback Journal
                                Category:dropped
                                Size (bytes):4616
                                Entropy (8bit):0.1384465837476566
                                Encrypted:false
                                SSDEEP:3:7FEG2l+m8AtEl/FllkpMRgSWbNFl/sl+ltlslN04l9XllJi:7+/lZsg9bNFlEs1E39hi
                                MD5:21D66B81CFE8C222C5578C80BC4A6A1E
                                SHA1:2F1E38DC2D19304A27FE123C2C66F785C60AF9C1
                                SHA-256:2940F84560160F5AFEFC2D95B69C14E170ABC8F6892E4DAAD26C0A1755391617
                                SHA-512:0E43CAF2FBAF85D4E36FA201B3A40F248B703C16AA13CF6DB4A0F4F523C2C3CD9EB5C30379C5C90CD4174F1E390692F0DE0B690F5CF3EFA5988B1F5F010F3C2C
                                Malicious:false
                                Reputation:low
                                Preview:.... .c........G....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):32768
                                Entropy (8bit):0.0444161994908491
                                Encrypted:false
                                SSDEEP:3:G4l2CNtFK4l2CNtFjl8lL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2CNt04l2CNtZqL9XXPH4l942U
                                MD5:04A0D612D0497F2F88931EEC86C0A25E
                                SHA1:168989D174D8B5922CDB4C081D927F58963617BC
                                SHA-256:4F915BC201B09821BB60E288F90BCB04E008E088E45D47ED9195C4B3E3D52D1F
                                SHA-512:B0B29C2AB085082CF37C43BAF33AB6EDCFE505C78F7BC7626AD790E8EC15F57A8FFBEDFA7FC218129BA79B8680BE6318B13EFFEF10E2B3C401B8110876C32036
                                Malicious:false
                                Preview:..-.........................9.`...i.._9(...[8..V..-.........................9.`...i.._9(...[8..V........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:SQLite Write-Ahead Log, version 3007000
                                Category:dropped
                                Size (bytes):45352
                                Entropy (8bit):0.39337021516278153
                                Encrypted:false
                                SSDEEP:24:Kbmy4KTQMIzRD2uOmMXill7DBtDi4kZERDPnvExqt8VtbDBtDi4kZERDQ:7y7Qj/H6ill7DYMTn8xO8VFDYME
                                MD5:265367F6661073B730903AFD445F4DFD
                                SHA1:9FC3AC64515BEE26073553B9AEC6416E632EEDFC
                                SHA-256:2522A58BF595B54E09BE45B307C139B31E0FCE2E1F27E065AB20B6558F6DE642
                                SHA-512:1AC70CCF9B6F7BD31E04BC3D33459EBA9AA364BF7B9A4D45CBC380A3ADDA10AED9FA013955EB74330459497DF66B5BA101B14F540EBD3F98034F520BDF4FC469
                                Malicious:false
                                Preview:7....-............i.._9(hP..Hq.f..........i.._9(.{9zT...SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{11836D7D-E42C-41C7-9E72-19961F4B3D6D}.tmp

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):3280
                                Entropy (8bit):3.1778660006769934
                                Encrypted:false
                                SSDEEP:48:ffhuIqIHtNlsQXQuXcXcXR6ZbLLCCCCy5JElvLfj8HaPIPuINVjIVLfj8HfASPI:krIffgussh6ZbAMf7P3IVjqOdP
                                MD5:09F7A280DBA4C2C8DBDDEB31A33B215E
                                SHA1:3496A8EB9C4E7C791D5A70376789A7D5DD5CEE82
                                SHA-256:E892A7ED69DE151DBA337494AF9E883516575B2FA56F524324AD4AD6AD978BA5
                                SHA-512:476FDC17940367336D36EC1FEF4B548BB00CF65B98BCC27F43EBFF6842C4CC2B71AA1FCDC4C857669D94285274839F22C77D1F45F0B44E07EC09A9AB94EF24F1
                                Malicious:false
                                Preview:....I.N.C.L.U.D.E.P.I.C.T.U.R.E. . .\.d. .".h.t.t.p.s.:././.s.a.t.u.r.n.e.-.i.a...c.o.m./.i.m.a.g.e.s./.s.a.t.u.r.n.e.-.b.a.n.n.i.e.r.e.-.m.a.i.l...j.p.g.". .\.x. .\.y. .\.*. .M.E.R.G.E.F.O.R.M.A.T.I.N.E.T... . .....................................................................................................................................................................................................................................................................................................................................>...v...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730300142001775900_12207822-F413-4FAD-92FF-59E1D66B535D.log

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:ASCII text, with very long lines (28729), with CRLF line terminators
                                Category:dropped
                                Size (bytes):20971520
                                Entropy (8bit):0.16085399210662074
                                Encrypted:false
                                SSDEEP:1536:cXZ6gHtj1/T88NFZ1WNVjhxXxXTVF9fOFcbjIa+bO8oCJpSNLB1:GNj5XNFyb9LC
                                MD5:F84676C80404F8BCB0909EA30BF04B55
                                SHA1:1F4C8438C34B70AEDB221DD5F03445BDF8E1718E
                                SHA-256:D5DAEF6A9961442A44D463DB8F0AAB277135AE54628B042A4D3765B49FA26B74
                                SHA-512:874C03430839BBA82C17802C74B887DC920F5C2EBE566315116823B514958DD4972FEE313484ED3F78CD3F769CB863E2B5EE32ECD2428AB429CBBBCB40086B2C
                                Malicious:false
                                Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/30/2024 14:55:42.097.OUTLOOK (0x1B0).0x3FC.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-10-30T14:55:42.097Z","Contract":"Office.System.Activity","Activity.CV":"InggEhP0rU+S/1nh1mtTXQ.4.9","Activity.Duration":18,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/30/2024 14:55:42.112.OUTLOOK (0x1B0).0x3FC.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-10-30T14:55:42.112Z","Contract":"Office.System.Activity","Activity.CV":"InggEhP0rU+S/1nh1mtTXQ.4.10","Activity.Duration":10544,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVersi

                                C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730300142002931100_12207822-F413-4FAD-92FF-59E1D66B535D.log

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):20971520
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3::
                                MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                Malicious:false
                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T1055410675-432.etl

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):102400
                                Entropy (8bit):4.487165640578084
                                Encrypted:false
                                SSDEEP:768:/ZQbu5kFPSCThVhQ4h4UC9fI5NujGmXCD+OHH0envW4WPW5Wa/ljfZpbfNAlSF:x24UC9fGMj3Xo+OHH0en1jfZpbfNV
                                MD5:D8809CE908562301461D1A1C453597B1
                                SHA1:CD627CB92C268608B4A3E384CBED8EDF9FF3BA60
                                SHA-256:B7E582D47DA47F4A6E3C605638683901CA0A8F7A7D6B349E655968A90C7EEE46
                                SHA-512:8A53A41A6E29345D723B7E71B7FF1874394F636667CD7AEF4AD7042944908299DFB29B4C051333B17261C1BD1F6084912F5311982AD8C7A7C4817AD593048C34
                                Malicious:false
                                Preview:............................................................................d.............<..*..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................M.............<..*..........v.2._.O.U.T.L.O.O.K.:.1.b.0.:.7.0.6.6.8.2.8.6.b.7.c.8.4.9.8.d.b.5.2.9.d.6.4.e.5.9.8.3.3.8.7.2...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.3.0.T.1.0.5.5.4.1.0.6.7.5.-.4.3.2...e.t.l...........P.P.........#<?..*..................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T1056070568-5328.etl

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):16384
                                Entropy (8bit):3.58341674626897
                                Encrypted:false
                                SSDEEP:96:h8vnOdCEMMLcmnyLlLMUPZL9F2UcLe+xjg6kLLd5y6eV:h8/OwE3DnyL5jRL9FNcLe+y6kLLdYjV
                                MD5:FF0D27550F57B269B365FFD7F0D0D107
                                SHA1:D2EABC378526DFC79ECFF4A7C070864616329358
                                SHA-256:1C14A5E7654BBFFF5A7DADB241B1745A0EF129016E5C8AB36A5D5D58FA7FF49E
                                SHA-512:695402E9CED92A0511958A0B6D19E70E23520F593AF5ECA0DE6F1A38A1E5C8C010A28F76C2202B2392B0A5900291B3D3FBE0B3823A6F24EC9E3559E65D349B6C
                                Malicious:false
                                Preview:............................................................................h...........h...*..................eJ..........*..Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................M...........h...*..........v.2._.O.U.T.L.O.O.K.:.1.4.d.0.:.3.2.0.b.2.6.a.6.e.f.4.9.4.d.8.6.9.1.4.e.e.5.6.1.6.2.b.5.2.8.7.1...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.3.0.T.1.0.5.6.0.7.0.5.6.8.-.5.3.2.8...e.t.l.......P.P.........h...*..................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\~DF0E0296405120335E.TMP

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):163840
                                Entropy (8bit):0.33535168192192893
                                Encrypted:false
                                SSDEEP:192:Guu6igvVlYwkWlAL3hzFNgz0XHWQOAIAbAFAqwNh/:RDigNlYSlO3hzoz0XHOAIMu
                                MD5:56C204C0F5A69322B490708F2CB8F676
                                SHA1:8FCB6D45AB92CAAF23DDBA06906BAE2DA51710A8
                                SHA-256:4177801A19D13571F8D17E989B83182FE911C466223A5DC2F94081B7B9643EF0
                                SHA-512:0D5DF49CC1ADA53F54B59B5C5F77AC5ADDE6F75FE66AFEB1820867D8287764F3427119E52D5A854A7E792792FD63965391D468F7C15C63C5F1E8CD8FE94982C8
                                Malicious:false
                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):30
                                Entropy (8bit):1.2389205950315936
                                Encrypted:false
                                SSDEEP:3:DRmZ:0
                                MD5:E6B636EA1E9D22992131A88C6C64BAA8
                                SHA1:A0DCB12D392040B51E9DAAAE37538918FB0EC300
                                SHA-256:52B2CE1B3D9169856195F3FB4F25363AE94185E2D2165BE482FE3950315EBD8F
                                SHA-512:E6CBCFD58501C9905458494FA2F82B867C0A1B219C965D6C3C2AFC5CC8DA397E6AEAD57D53197FD9E1481C78331A60D507DEEAE633A9F3EB108593ABC3C082AB
                                Malicious:false
                                Preview:.....t........................

                                C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:Composite Document File V2 Document, Cannot read section info
                                Category:dropped
                                Size (bytes):16384
                                Entropy (8bit):0.6702167673140615
                                Encrypted:false
                                SSDEEP:12:rl3baFYqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheC2w7:rimnq1Py9612C
                                MD5:79BD62F41FAEA63BB9D4F333033819B0
                                SHA1:4DA099D116C0FDAE1727A67C6E36721A268FC6AC
                                SHA-256:5B84BAA8F7AE8CE1C76461B251286D19B5526D73F708D068579F9898E2F6EF26
                                SHA-512:7AA66D58CB630D0775FB247BD42E261BE1F48417CAB634133ABE50ED2EEE1158F6AF040467567B958E129068CD64A2A90D8F3609D77B47A366396823A15737A7
                                Malicious:false
                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:Microsoft Outlook email folder (>=2003)
                                Category:dropped
                                Size (bytes):271360
                                Entropy (8bit):1.550835686736797
                                Encrypted:false
                                SSDEEP:768:cQclrnzksqIlqC5JkW/qfDDpsBSZMKGRpqBf58BUTIZ:0zxbvJkW/q7uoCYf5eNZ
                                MD5:8CE1CBCF807D0BB1507E5AE942FBE7DE
                                SHA1:7055322EFB94352A1D2000347BDB29A5C7ADC99F
                                SHA-256:A8918B54C8F1B212603A9E55C8F5F4205EDC9C4F6DA5CC95C3EB66EBAC3B8063
                                SHA-512:94D9F6BC49AFACC45CAEF62995C0D1C4DBD7CE7E923B4F8B94E9A62E8D844E8F0F4296A600E65BBBD8B259987DEDCD76CE69ADAD5105D9B0E2B6593634DE78FE
                                Malicious:false
                                Preview:!BDN..zSM......\....q..................\................@...........@...@...................................@...........................................................................$.......D......@:..........................................................................................................................................................................................................................................................................................................................H........).u.p!.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):131072
                                Entropy (8bit):1.1201601352956176
                                Encrypted:false
                                SSDEEP:384:06+N96AtxTlHGNGF8sBWPZG0yO4rXW41l7uHMg1Rb:titGQRBfDwMg
                                MD5:91B3A5BF70FB0C848DF798D5101413B3
                                SHA1:E2E0EBEC54EB3F10D0B9AC2BAD05338B611088DE
                                SHA-256:943544B9F06489E50366C4C0EEF2E137CD5B3F56C77478C88087BD76DC6E68C2
                                SHA-512:4944D8FC990116F1971B99EB0853E158313743E0A085D5D70520A662DCE19DB42C6FC77114A12DEDD5EED7E10E17F77C5F5BBF1622C338632990531679C6C59C
                                Malicious:false
                                Preview:8hVf0...V.............V..*.......D............#.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................&k.D.........W0...W.............V..*.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:CDFV2 Microsoft Outlook Message
                                Entropy (8bit):4.007761659305687
                                TrID:
                                • Outlook Message (71009/1) 58.92%
                                • Outlook Form Template (41509/1) 34.44%
                                • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                                File name:Your password reset request.msg
                                File size:33'792 bytes
                                MD5:774bb17f172d1555f206333bc13bc46d
                                SHA1:2055ea620004a5a3e10d527877c104438c9c38dc
                                SHA256:a7aea16595c2856a9c0e351f8e9ace21cccad7b033307aac5e4043ec1e16975a
                                SHA512:c849091b64ccf032171f39b94155a69ad48b4bd5ee69b483322c3205f812c243bdfab880d2f659e07b4bf0bb752e8fd363209e571ee67b519e9248afe173db8e
                                SSDEEP:768:04tYwv5SpjgtmWsKvFWsKvI7fkJPepvqJGfhS3kEva:FDApj1WlWcOej
                                TLSH:DFE2EE2136F94605F27BCF764AE690978936BD82FD11C78F3290734E09B1941E9B1B2B
                                File Content Preview:........................>......................................................................................................................................................................................................................................

                                Static Mail

                                General

                                Subject:Your password reset request
                                From:Saturne IA Contact <contact@saturne-ia.com>
                                To:canderson@atlam.com
                                Cc:
                                BCC:
                                Date:Wed, 30 Oct 2024 15:03:24 +0100
                                Communications:
                                • <https://saturne-ia.com//images/saturne-banniere-mail.jpg> Hello! To reset your password, please visit the following link https://saturne-ia.com/reset-password/reset/V1RhGV6StLt8New4ev4asVwYc7kFaXaO3MXEjtt1 <https://url.usb.m.mimecastprotect.com/s/EYiPCJEkpZFx1AOtVfQFyLwg0?domain=saturne-ia.com> The link expires in 1 hour. Best regards contact@saturne-ia.com https://saturne-ia.com <https://url.usb.m.mimecastprotect.com/s/RzopCKAlqOTLBMKsvhWF5iIPa?domain=saturne-ia.com>
                                Attachments:

                                  Headers

                                  Key Value
                                  Authentication-Resultsrelay.mimecast.com;
                                  spf=pass (relay.mimecast.comdomain of contact@saturne-ia.com designates 212.227.126.134 as permitted sender) smtp.mailfrom=contact@saturne-ia.com
                                  Receivedfrom [127.0.0.1] ([82.165.88.161]) by mrelayeu.kundenserver.de
                                  30 Oct 2024 0715:58 -0700
                                  X-MC-Uniqueb3qjPXEaOtWDECh0eMzSBg-1
                                  DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=saturne-ia.com;
                                  h=X-UI-Sender-ClassFrom:To:Subject:Message-ID:MIME-Version:Date:
                                  Content-Typecc:content-transfer-encoding:content-type:date:from:
                                  message-idmime-version:reply-to:subject:to;
                                  X-UI-Sender-Class55c96926-9e95-11ee-ae09-1f7a4046a0f6
                                  1M8yso-1tB4yg2VF8-00Bu93 for <canderson@atlam.com>; Wed, 30 Oct 2024 1503:24
                                  FromSaturne IA Contact <contact@saturne-ia.com>
                                  Tocanderson@atlam.com
                                  SubjectYour password reset request
                                  Message-ID<e0fc10ab624a8a56904436b083a06a4a@saturne-ia.com>
                                  MIME-Version1.0
                                  DateWed, 30 Oct 2024 14:03:24 +0000
                                  X-Provags-IDV03:K1:BcmYPBw7G5DMFEd8Duc/+N9UPDtgDF6323M7aW0mDgnfx2AuNX2
                                  X-Spam-FlagNO
                                  UI-OutboundReportnotjunk:1;M01:P0:S74HpxH/PEE=;2dwW20jyBrHlH0Kb/vAzXLJRoxl
                                  X-Mimecast-Spam-Score0
                                  Content-Typemultipart/alternative; boundary=LvEaoU4q
                                  dateWed, 30 Oct 2024 15:03:24 +0100

                                  File Icon

                                  Icon Hash:c4e1928eacb280a2

                                  Network Behavior

                                  No network behavior found

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:10:55:36
                                  Start date:30/10/2024
                                  Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Your password reset request.msg"
                                  Imagebase:0x580000
                                  File size:34'446'744 bytes
                                  MD5 hash:91A5292942864110ED734005B7E005C0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:10:55:43
                                  Start date:30/10/2024
                                  Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C232C781-5795-4501-8A4A-E57CDC2519C5" "28371F64-5FB7-41FC-A3D3-7C42D9EC6AFE" "432" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                  Imagebase:0x7ff650a50000
                                  File size:710'048 bytes
                                  MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:6
                                  Start time:10:56:07
                                  Start date:30/10/2024
                                  Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
                                  Imagebase:0x580000
                                  File size:34'446'744 bytes
                                  MD5 hash:91A5292942864110ED734005B7E005C0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  No disassembly