Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml

Overview

General Information

Sample name:3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml
Analysis ID:1562430
MD5:fcec9d80a1e0c4639171d7612f86ca09
SHA1:86758b446d54d5ae5fba0236c148ed76c50632b5
SHA256:450221ee3d9144ca03e1058d3ba0e5ad09b4153341676089db9e244662b89800
Infos:

Detection

Score:21
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

AI detected potential phishing Email
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7440 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7988 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6065E1BF-B448-4729-B690-738CE56980DD" "50158EAA-599F-457C-81F0-955AD51B0BD7" "7440" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected potential phishing Email
Source: EmailJoe Sandbox AI: Detected potential phishing email: Highly suspicious sender email domain '720901.com' and obfuscated sender name. Subject line contains random characters and appears deliberately obscured. Attachment name suggests bait related to benefits/bonus but uses suspicious encoding
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.aadrm.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.aadrm.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.cortana.ai
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.office.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.onedrive.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://api.scheduler.
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://app.powerbi.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://augloop.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://canary.designerapp.
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cdn.entity.
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://clients.config.office.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://clients.config.office.net/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cortana.ai
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cortana.ai/api
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://cr.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://d.docs.live.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://dev.cortana.ai
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://devnull.onenote.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://directory.services.
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ecs.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://graph.windows.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://graph.windows.net/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://invites.office.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://lifecycle.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://login.windows.local
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://make.powerautomate.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://management.azure.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://management.azure.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://messaging.office.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://mss.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ncus.contentsync.
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://officeapps.live.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://onedrive.live.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://outlook.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://outlook.office.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://outlook.office365.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://outlook.office365.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://planner.cloud.microsoft
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://res.cdn.office.net
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://service.powerapps.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://settings.outlook.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://staging.cortana.ai
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://substrate.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://syncservice.o365syncservice.com/"
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://wus2.contentsync.
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: sus21.winEML@3/10@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241125T0929500391-7440.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6065E1BF-B448-4729-B690-738CE56980DD" "50158EAA-599F-457C-81F0-955AD51B0BD7" "7440" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6065E1BF-B448-4729-B690-738CE56980DD" "50158EAA-599F-457C-81F0-955AD51B0BD7" "7440" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
    		high
    https://login.microsoftonline.com/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
      		high
      https://shell.suite.office.com:144349CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
        		high
        https://designerapp.azurewebsites.net49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
          		high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
            		high
            https://autodiscover-s.outlook.com/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
              		high
              https://useraudit.o365auditrealtimeingestion.manage.office.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                		high
                https://outlook.office365.com/connectors49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                  		high
                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                    		high
                    https://cdn.entity.49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                      		high
                      https://api.addins.omex.office.net/appinfo/query49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                        		high
                        https://clients.config.office.net/user/v1.0/tenantassociationkey49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                          		high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                            		high
                            https://powerlift.acompli.net49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                              		high
                              https://rpsticket.partnerservices.getmicrosoftkey.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                		high
                                https://lookup.onenote.com/lookup/geolocation/v149CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                  		high
                                  https://cortana.ai49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                    		high
                                    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                      		high
                                      https://api.powerbi.com/v1.0/myorg/imports49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                        		high
                                        https://notification.m365.svc.cloud.microsoft/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                          		high
                                          https://cloudfiles.onenote.com/upload.aspx49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                            		high
                                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                              		high
                                              https://entitlement.diagnosticssdf.office.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                		high
                                                https://api.aadrm.com/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                  		high
                                                  https://ofcrecsvcapi-int.azurewebsites.net/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                    		high
                                                    https://canary.designerapp.49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                      		high
                                                      https://ic3.teams.office.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                        		high
                                                        https://www.yammer.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                          		high
                                                          https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                            		high
                                                            https://api.microsoftstream.com/api/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                              		high
                                                              https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                		high
                                                                https://cr.office.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                  		high
                                                                  https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                    		high
                                                                    https://messagebroker.mobile.m365.svc.cloud.microsoft49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                      		high
                                                                      https://otelrules.svc.static.microsoft49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                        		high
                                                                        https://portal.office.com/account/?ref=ClientMeControl49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                          		high
                                                                          https://clients.config.office.net/c2r/v1.0/DeltaAdvisory49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                            		high
                                                                            https://edge.skype.com/registrar/prod49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                              		high
                                                                              https://graph.ppe.windows.net49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                		high
                                                                                https://res.getmicrosoftkey.com/api/redemptionevents49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                  		high
                                                                                  https://powerlift-frontdesk.acompli.net49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                    		high
                                                                                    https://officeci.azurewebsites.net/api/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                      		high
                                                                                      https://sr.outlook.office.net/ws/speech/recognize/assistant/work49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                        		high
                                                                                        https://api.scheduler.49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                          		high
                                                                                          https://my.microsoftpersonalcontent.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                            		high
                                                                                            https://store.office.cn/addinstemplate49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                              		high
                                                                                              https://api.aadrm.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                		high
                                                                                                https://edge.skype.com/rps49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                  		high
                                                                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                    		high
                                                                                                    https://globaldisco.crm.dynamics.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                      		high
                                                                                                      https://messaging.engagement.office.com/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                        		high
                                                                                                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                          		high
                                                                                                          https://dev0-api.acompli.net/autodetect49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                            		high
                                                                                                            https://www.odwebp.svc.ms49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                              		high
                                                                                                              https://api.diagnosticssdf.office.com/v2/feedback49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                		high
                                                                                                                https://api.powerbi.com/v1.0/myorg/groups49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                  		high
                                                                                                                  https://web.microsoftstream.com/video/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                    		high
                                                                                                                    https://api.addins.store.officeppe.com/addinstemplate49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                      		high
                                                                                                                      https://graph.windows.net49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                        		high
                                                                                                                        https://dataservice.o365filtering.com/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                          		high
                                                                                                                          https://officesetup.getmicrosoftkey.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                            		high
                                                                                                                            https://analysis.windows.net/powerbi/api49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                              		high
                                                                                                                              https://prod-global-autodetect.acompli.net/autodetect49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                		high
                                                                                                                                https://substrate.office.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://outlook.office365.com/autodiscover/autodiscover.json49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://consent.config.office.com/consentcheckin/v1.0/consents49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://notification.m365.svc.cloud.microsoft/PushNotifications.Register49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://d.docs.live.net49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://safelinks.protection.outlook.com/api/GetPolicy49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://ncus.contentsync.49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://syncservice.o365syncservice.com/"49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            http://weather.service.msn.com/data.aspx49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://apis.live.net/v5.0/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://officepyservice.office.net/service.functionality49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://templatesmetadata.office.net/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://messaging.lifecycle.office.com/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://planner.cloud.microsoft49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://mss.office.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://pushchannel.1drv.ms49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://management.azure.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://outlook.office365.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://wus2.contentsync.49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://incidents.diagnostics.office.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://clients.config.office.net/user/v1.0/ios49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://make.powerautomate.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://api.addins.omex.office.net/api/addins/search49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://insertmedia.bing.office.net/odc/insertmedia49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://outlook.office365.com/api/v1.0/me/Activities49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://api.office.net49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://incidents.diagnosticssdf.office.com49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://asgsmsproxyapi.azurewebsites.net/49CC82B5-E74E-4DDB-87A1-CD8AB9975F26.0.drfalse
                                                                                                                                                                                                          		high

                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                          No contacted IP infos

                                                                                                                                                                                                          General Information

                                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                          Analysis ID:1562430
                                                                                                                                                                                                          Start date and time:2024-11-25 15:28:34 +01:00
                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                          Overall analysis duration:0h 4m 56s
                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                          Number of analysed new started processes analysed:8
                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                          Sample name:3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml
                                                                                                                                                                                                          Detection:SUS
                                                                                                                                                                                                          Classification:sus21.winEML@3/10@0/0
                                                                                                                                                                                                          EGA Information:Failed
                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                                          • Number of executed functions: 0
                                                                                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                          • Found application associated with file extension: .eml

                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.32.7, 20.189.173.3
                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): ecs.office.com, ukw-azsc-000.roaming.officeapps.live.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, onedscolprdwus02.westus.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, osiprod-ukw-buff-azsc-000.ukwest.cloudapp.azure.com, s-0005-office.config.skype.com, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                          • VT rate limit hit for: 3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml

                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                          No simulations

                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                          IPs

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Domains

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):231348
                                                                                                                                                                                                          Entropy (8bit):4.387342034609407
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:N5gGJN9gPmiGu2MqoQPrt0Fvc8rhPzukq:NrLUmi2ZerhPzuF
                                                                                                                                                                                                          MD5:EE1817AB377E2FD0633B009AA964D291
                                                                                                                                                                                                          SHA1:C302E2E7AA9E9926CDA95D3EAA5146861F441F2F
                                                                                                                                                                                                          SHA-256:FBD316863CDA495B3C388B1EA9B12A162D8D211086E362C27FEFBDAE0C239C87
                                                                                                                                                                                                          SHA-512:645966478CDBAD3B4EE5D0BDF592016915E02740E1D81D9308A404BD16CFBC448C7E29A6DB9AF9C74CA72BB500FCEB42EE3356F114CC419E2F2BB4E8B2F7B153
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:TH02...... ...TpF?......SM01X...,...0.HpF?..........IPM.Activity...........h...............h............H..hl....... .X/...h............H..h\hub ...AppD...h....0.........hX.FF...........h........_`"k...h$.FF@...I.Dw...h....H...8.'k...0....T...............d.........2h...............ke}............!h.............. hv.z,........#h....8.........$h........8....."hX.............'h..............1hX.FF<.........0h....4....'k../h....h.....'kH..h.G..p...l.....-h .............+h..FF....`................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\49CC82B5-E74E-4DDB-87A1-CD8AB9975F26

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):181859
                                                                                                                                                                                                          Entropy (8bit):5.295321363173134
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:qi2XfRAqSbH4wglE6Le7HW8Qjj/o/NMOcAZl1p5ihs7EXXNEADpOBIa5YdGVF8St:ade7HW8Qjj/o/aXSbTx
                                                                                                                                                                                                          MD5:58E1C221D6E48C8AFE5ABDF34C579E35
                                                                                                                                                                                                          SHA1:0A93900FC8BAD9CE546FAAFE0F137134CD7C0AA3
                                                                                                                                                                                                          SHA-256:444489F9464269615EEBFEBD650FD1E10C8907E7E5AC397079295037120D758A
                                                                                                                                                                                                          SHA-512:67EEECD794EBFD1D4E79F4E7C9C943992DFA1EEA6CD78561B7B6AF4AE0DE17083673CD47A075C85236CE61E369A3B29342C815B3271B8B97D71761041CA1C0E1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-11-25T14:29:57">.. Build: 16.0.18312.40138-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                          Entropy (8bit):0.04607946491510245
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:GtlxtjlxZkzsI2H9l/tlxtjlxZkzsI2Hu/jR9//8l1lvlll1lllwlvlllglbelDX:GtRZocftRZocuF9X01PH4l942wU
                                                                                                                                                                                                          MD5:693C42DF600E83FE5335878701FA0BF4
                                                                                                                                                                                                          SHA1:43983230458D7234FC38EB5BEE471212A6E32058
                                                                                                                                                                                                          SHA-256:09AFD3B3B7AAA70006619925A023E7B5F681EF0B26273CF209895BD1541B46B5
                                                                                                                                                                                                          SHA-512:DAFB56879122ADE54F062BB283AACC750F9B347B18DBE79CC58E2A7A19A0455F525A39D35B439DD886FECE856382D7B3B5AA6FFC9E7A6C6FCB95244D8661AC03
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:..-.....................m..........RF.....PI9...-.....................m..........RF.....PI9.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):49472
                                                                                                                                                                                                          Entropy (8bit):0.483812614951316
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:u1FQ1/CnUll7DYMdzO8VFDYMeBO8VFDYML:usZTll4ejVG/jVGC
                                                                                                                                                                                                          MD5:5CE42C7D57687E776F02098E9D6B0F51
                                                                                                                                                                                                          SHA1:290010F40EC36950FA83C42AD0E6B22E46089A06
                                                                                                                                                                                                          SHA-256:FA3D309DA0A299E6E472065B6D7A73CD9C7C4C79A0953FD31EE9B95C74D862DB
                                                                                                                                                                                                          SHA-512:99CD4853319011476E056AE21DB8180FEBFB4D3180568DDC6B47598FB1F859E20212B70800DCD93EFC8874419726B25F26B41019A4708AFC9DC3A1FC69C6735E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:7....-.............RF.....`z.............RF.."|aN.}RQSQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732544993348806000_0A2C7A47-50C6-47FC-AE49-732A1655DB37.log

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (28764), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):20971520
                                                                                                                                                                                                          Entropy (8bit):0.16051280507854648
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:xLUsrFXJaFFVEXpW1mHnmK3QAGxO6mlXHwEusfxonYAl56GPaLJdzkg+sWnypQNN:xLUGJa/2e
                                                                                                                                                                                                          MD5:303D681387E24D6120FF6FCB18FB089A
                                                                                                                                                                                                          SHA1:3D191163993E5F2C9E4E6B304057D69F59934DC6
                                                                                                                                                                                                          SHA-256:8958446554BD20E9A6A0D6F7AF3F7A56F541772F2B82ADA80B41ACC8C69E58FE
                                                                                                                                                                                                          SHA-512:200D49F7C2922EE685FE82785B6A69FBFA78AB8743D03579B9CE5FEA1D40DA072FF3F4E5C6D6C06725F977E00C6204B875B66D945C82555E215D12539F8717D5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/25/2024 14:29:53.469.OUTLOOK (0x1D10).0x1D14.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-11-25T14:29:53.469Z","Contract":"Office.System.Activity","Activity.CV":"R3osCsZQ/EeuSXMqFlXbNw.4.9","Activity.Duration":14,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...11/25/2024 14:29:53.500.OUTLOOK (0x1D10).0x1D14.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-11-25T14:29:53.500Z","Contract":"Office.System.Activity","Activity.CV":"R3osCsZQ/EeuSXMqFlXbNw.4.10","Activity.Duration":16838,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732544993349851300_0A2C7A47-50C6-47FC-AE49-732A1655DB37.log

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):20971520
                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                          MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                                                                          SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                                                                          SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                                                                          SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241125T0929500391-7440.etl

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                                          Entropy (8bit):4.491785427058237
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:lfBJLHvOrNxv4lQOIpxE9FFE/KbxZXWNWVW3WkhXgF40hrqrx:xu4HIHE9FFgKvWXyl6
                                                                                                                                                                                                          MD5:BB0946C032E33ED02CC3CF0D16232612
                                                                                                                                                                                                          SHA1:80D77FD829ECC3BBB062710B74DDB545396880F9
                                                                                                                                                                                                          SHA-256:849C80E5571C1DE87C68A7099B5CAF1F02D340B464D320503B85BA5B782634AE
                                                                                                                                                                                                          SHA-512:C3208A2DF2C0AF17AFD6EB3BE08230C4FCE16F6868B9ABDD876565C192A1A91FFD85D9DD2848B4DD4D5AFC7FC2AB31BA24892D2C4D4BB17FC5B2840D75FE6C4C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............................................................................d............@W|F?..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................#.=[............@W|F?..........v.2._.O.U.T.L.O.O.K.:.1.d.1.0.:.c.e.b.f.e.7.3.4.b.8.7.3.4.f.4.b.a.3.b.a.f.a.f.e.8.9.5.b.3.8.9.0...C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.1.2.5.T.0.9.2.9.5.0.0.3.9.1.-.7.4.4.0...e.t.l...........P.P.........Q.Y|F?..................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                          Size (bytes):30
                                                                                                                                                                                                          Entropy (8bit):1.2389205950315936
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:0qnz/t:0cz
                                                                                                                                                                                                          MD5:F0B49112ADF44253E63B4D9CE39E99AC
                                                                                                                                                                                                          SHA1:CCA6056200930401DB2DA574CA5CDA5254C97323
                                                                                                                                                                                                          SHA-256:9F239326C42E685E8F31ABC39EDF7082AA8CEF50AB4F82CB838BBF9005461645
                                                                                                                                                                                                          SHA-512:DE1929C678591DFF14431AFB88A0071D035F9DA3756C17699802B0801CC560AD266E0581E9664AE799F5E7E955389C3D0E0F4A163138BF737AD22571A1909D90
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.............................

                                                                                                                                                                                                          C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:Microsoft Outlook email folder (>=2003)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):271360
                                                                                                                                                                                                          Entropy (8bit):5.337083271513736
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:oq11vkYUChxXRGp+L04tZ/lWzxi715Mxp9Xdp9:Fn2wLXtZdWV7xnd
                                                                                                                                                                                                          MD5:F8183ABE65F12038A0F98D1E74332025
                                                                                                                                                                                                          SHA1:437B592C81B92C57F7E3A7364F7EDA42418EB474
                                                                                                                                                                                                          SHA-256:61B44913E7C0AF30F2027E1018073B5AD227CF228AC38E76BC6693B1C8470104
                                                                                                                                                                                                          SHA-512:494961477F3137882D9AF0306D39BBD9880E2CC1103CA3D0A089405FF990BDD2898706C03E8749A9AC1ED12173B7587AFB43C2044E40979A60F6522B29BFFF13
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Preview:!BDN.:..SM......\...'z..................\................@...........@...@...................................@...........................................................................$.......D.......a.......................................v...........................................................................................................................................................................................................................................................................................E.Rl.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):262144
                                                                                                                                                                                                          Entropy (8bit):4.796508626286481
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:pP4qQ10PAwr1oDO9gpD3eL/J5sk5u4A7YsaChxXg/oyqzLEKg1iiL5b5iKYlL04e:uaFv/6UChxXdGtuL04HZRlfzsp9orQ
                                                                                                                                                                                                          MD5:83C353E7228858ECDA5B2D25FC823A34
                                                                                                                                                                                                          SHA1:DA83257B48EB3323E2D5733F51F1CAEAFC77F56D
                                                                                                                                                                                                          SHA-256:76219852C24481B155E798DD332C0B0951C052DAD64DFA1D93779678B1FA9594
                                                                                                                                                                                                          SHA-512:94AA9BB07D6547C18DA90CEEC795CF9195E571D1CD24E5D3581ABB719AAA7C2F339986C79E7ECA47EE7DC599D3E0F897DD89DB9D38484FBC48938E4AAC68ECB9
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Preview:p...C.................zF?....................#.!BDN.:..SM......\...'z..................\................@...........@...@...................................@...........................................................................$.......D.......a.......................................v...........................................................................................................................................................................................................................................................................................E.Rl.....zF?.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          File type:RFC 822 mail, ASCII text, with very long lines (377), with CRLF, CR line terminators
                                                                                                                                                                                                          Entropy (8bit):6.054513143697263
                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                          • E-Mail message (Var. 5) (54515/1) 100.00%
                                                                                                                                                                                                          File name:3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml
                                                                                                                                                                                                          File size:138'955 bytes
                                                                                                                                                                                                          MD5:fcec9d80a1e0c4639171d7612f86ca09
                                                                                                                                                                                                          SHA1:86758b446d54d5ae5fba0236c148ed76c50632b5
                                                                                                                                                                                                          SHA256:450221ee3d9144ca03e1058d3ba0e5ad09b4153341676089db9e244662b89800
                                                                                                                                                                                                          SHA512:936d4230970add69bc2f16ee45662d0cba72a764ce6d66cdaf47e11a6eedd25bfc4c6f0db5a679d16e25b95b8e8ed7dfac114e3d919654b7fb0c9951a896b475
                                                                                                                                                                                                          SSDEEP:1536:8LukB/XhA4Ebj+1oZjwgZWv7cnbVBRkvVwb497LaOHuwK9WMadEmWy619fBhvejb:8CkuQoZVZWzcnbydpa4wdaMNddK
                                                                                                                                                                                                          TLSH:8BD36934210218E2B14B597EC812A163CD28E1123F932DE617D741B9BF9ACE779EB4DD
                                                                                                                                                                                                          File Content Preview:Received: from DB9PR05MB10374.eurprd05.prod.outlook.com (2603:10a6:10:463::22).. by HE1PR0502MB3643.eurprd05.prod.outlook.com with HTTPS; Thu, 21 Nov 2024.. 11:07:07 +0000..Received: from AM0PR10CA0051.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:150::31).. b

                                                                                                                                                                                                          Static Mail

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Subject:hk djtnt Rd! Rv nd r nft/n fr nn tvt 4th Qrtr - RhkFR9j==
                                                                                                                                                                                                          From:"R/r R. |gt d RhkFR9 =" <kuma@720901.com>
                                                                                                                                                                                                          To:ed.riley@mailonline.co.uk
                                                                                                                                                                                                          Cc:
                                                                                                                                                                                                          BCC:
                                                                                                                                                                                                          Date:Thu, 21 Nov 2024 20:01:22 +0900
                                                                                                                                                                                                          Communications:
                                                                                                                                                                                                          • External Sender~~
                                                                                                                                                                                                          Attachments:
                                                                                                                                                                                                          • Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docx

                                                                                                                                                                                                          Headers

                                                                                                                                                                                                          Key Value
                                                                                                                                                                                                          Receivedfrom unknown (HELO ?100.64.100.6?) (kyodo-c@ao-re.jp@50.114.45.161) by 0 with SMTP; 21 Nov 2024 20:01:20 +0900
                                                                                                                                                                                                          Authentication-Resultsspf=pass (sender IP is 150.60.232.67) smtp.mailfrom=720901.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=720901.com;compauth=pass reason=109
                                                                                                                                                                                                          Received-SPFPass (protection.outlook.com: domain of 720901.com designates 150.60.232.67 as permitted sender) receiver=protection.outlook.com; client-ip=150.60.232.67; helo=mta.ham1002.secure.ne.jp; pr=C
                                                                                                                                                                                                          From"R/r R. |gt d RhkFR9 =" <kuma@720901.com>
                                                                                                                                                                                                          Toed.riley@mailonline.co.uk
                                                                                                                                                                                                          Subjecthk djtnt Rd! Rv nd r nft/n fr nn tvt 4th Qrtr - RhkFR9j==
                                                                                                                                                                                                          Content-Typemultipart/mixed; boundary="000000000000706x202411p02024"
                                                                                                                                                                                                          Message-Id<20241121110122.05EC1520D1E@mta.ham1002.secure.ne.jp>
                                                                                                                                                                                                          DateThu, 21 Nov 2024 20:01:22 +0900
                                                                                                                                                                                                          Return-Pathkuma@720901.com
                                                                                                                                                                                                          X-EOPAttributedMessage0
                                                                                                                                                                                                          X-EOPTenantAttributedMessage0f3a4c64-4dc5-4a76-8d41-52d85ca158a5:0
                                                                                                                                                                                                          X-MS-PublicTrafficTypeEmail
                                                                                                                                                                                                          X-MS-TrafficTypeDiagnostic AM2PEPF0001C713:EE_|DB9PR05MB10374:EE_|HE1PR0502MB3643:EE_
                                                                                                                                                                                                          X-MS-Office365-Filtering-Correlation-Id2f163f3f-c3a0-448e-c7ab-08dd0a1bd758
                                                                                                                                                                                                          X-MS-Exchange-AtpMessagePropertiesSA|SL
                                                                                                                                                                                                          X-Microsoft-Antispam BCL:0;ARA:13230040|12012899012|5062899012|3072899012|2092899012|41022699024|8096899003|95630200002;
                                                                                                                                                                                                          X-Forefront-Antispam-Report CIP:150.60.232.67;CTRY:JP;LANG:el;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mta.ham1002.secure.ne.jp;PTR:ham1002.secure.ne.jp;CAT:NONE;SFS:(13230040)(12012899012)(5062899012)(3072899012)(2092899012)(41022699024)(8096899003)(95630200002);DIR:INB;
                                                                                                                                                                                                          X-MS-Exchange-CrossTenant-OriginalArrivalTime21 Nov 2024 11:01:24.0730 (UTC)
                                                                                                                                                                                                          X-MS-Exchange-CrossTenant-Network-Message-Id2f163f3f-c3a0-448e-c7ab-08dd0a1bd758
                                                                                                                                                                                                          X-MS-Exchange-CrossTenant-Id0f3a4c64-4dc5-4a76-8d41-52d85ca158a5
                                                                                                                                                                                                          X-MS-Exchange-CrossTenant-AuthSource AM2PEPF0001C713.eurprd05.prod.outlook.com
                                                                                                                                                                                                          X-MS-Exchange-CrossTenant-AuthAsAnonymous
                                                                                                                                                                                                          X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                                                                                                                                                                                                          X-MS-Exchange-Transport-CrossTenantHeadersStampedDB9PR05MB10374
                                                                                                                                                                                                          X-MS-Exchange-Transport-EndToEndLatency00:05:43.0882067
                                                                                                                                                                                                          X-MS-Exchange-Processed-By-BccFoldering15.20.8158.023
                                                                                                                                                                                                          Importancehigh
                                                                                                                                                                                                          X-Priority1
                                                                                                                                                                                                          X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
                                                                                                                                                                                                          X-Microsoft-Antispam-Message-Info ihqwcqQHjQHwsqHJeYQK7HOYlAjhN6XnrJ+7/kAB7KTTOGcWIeFZ+yIS0U8nfZiNNbW75Qe4W1tbFQWwO1NbRrWxFD/RtlcNLFVAm0AwpUAC9671mTY/sMksaHDF+eoMezGYLiW1DexD9UKwXdJhYoNXp2MlPzlpscJVBCI1iZDp4lNZVCk8GAyniQzEis3FWMJqV7x7AeHZ+X5xA42hT+17SyBO9IH8kseHfq1F+E/NtcabLmH2Ejl+Xg0uk7+AzY0zQo6OnGu6xIUm5WByrRejWJEav9IdYQyc/P4/B6O31+t5eLXAL6pztQ6G0i5L7yCnZP1+0bkJ+5PjmE1p41DTpvz2Q8mC+SCkgGoHWRGQUKVIeUTvXow/1+FonSFqJOV2doWjX9gTZYI2N+qzsH7RLlfNFxkv+OqEBtbqmVeWh3zhNqjfbIMZGNqWggvbBu9fHqJzwZ90UroCRHNEDoPG6731bdDI5X77koIgjMyffTCE3bARveHMAG6b3tfBqHJu/FLl3tu/+0d2Wj/PkBrQazMY2M8bdxSr+dr74ikUcsLqp0lUgi1lFuWGtQtwGLbkPh6aWu5GtFLburNm43RzQ3mKuXYWmlDXpWR6y0r07AU3qT/DXaLcARkkSduMwAYBCGdyMk1A/PPoeTE/skHe7xWXoqEB35/CBEJ1nCL1GnlZLEzyQpnI0zLBk4lY4qtZesC82cgazeKtIqixFGqrVpIgQOH9GnmRmezaFiXn3SrYHXiU+EVeg2QSW00Ae7rAqIxj3CaWzCvLohoJCHtSJKNGBfCV4MNm3wMGhbQ2RN7yXpy2Pbm+Pz1+RbvoB8wTpM2IYJMs74smgGMFZ8JPyLciuXN2ouCCrhB50eiU27loQRUTTfnRweEVFDgQEe/wP85vFlFgkgJYjrn/KTRypJex1s5vpEv6ScAe7xMWE6yaTPakTB6M/O2zPZafXJF+xqnqTUNODGCqy5YaRDW7reMvxapC1JsIFgOtENvXvex2gvS84soJv1ns8BA7UtMrD/EeUJYAGnIack7xWLrZ6QYb9vdxh4juHLEvck9b/Wffn45fe9DrO9/mPPfzdIvVDzBGE0Gly6u0Jt6fI7PVEbEDLnrqStJylbfnnoADy49QSDyZnTjv8LCcXbqz+fR4irsm71gtyW+QZGtLGu5uEiR/eVbU2wLQVB4/XZQX58YNk3tl7fG383En+4ULkXXaNzy9GuDH7kvf/MYoo0TbFlpn2rd2ipHMCxYWtW0jFEne0lQZbDsS1hjcGY5H1Dcfi4O9QiU/2pGd3p7t62jKCxTpq6PHu6lLfvGEz/m+3Z4oARSTgo2I1iz4HeGyhwrxwTtLxdiCk6nTgA4o3jGTVBx19yYIZVKpRe1gNXVipf3GJf5lpYEM2wubsZPUSZ1/EGwyFGLaPdaCDBGppmzwutWuFkyyRTahaxO4lWqWPXZXZ/UktbPbefMRg2ll2C98XH3/VtmXDqfHLNQzoB2SQlcOzCWWX1jU4yi8GxPzCe3M5lomwaSiC0ENTGQrmfOq/YRd+lwkT7DFRggZbMmp7dFsl/s3Ew6d0dUsYLc56K/Gcs4maGca4dHDnTVpSNFZwMqkqNGORumXGcW23BdEkkNvnOXDEEKac0fjfrwr3lRGroLL7RejGrPmiYJ2xiMzi0pb23/F+i2GeC/E/HMDeSY2ED054PwDVBsGANwGHTwt/jfODeNXJ+yxnph2bYDkT9rsqjj4rKgxL6sVejzfl5BQMMRjdhEHBEzDMfJ/O4dirdJeRqXCcQWz5UA6uYDKaSdZmY8Dda1t3BPrl5YG1KErBzNUTRN//xKgdH3/Vo7MKx8gAfrgIimWqHZxC6JgitHrCPR/STRrPb5cm2JCs4QKgcYkP6ZPST9r+RUtyVIDMLiahywX+UFZ7lTKF0zPtlqaaZ8aUKSVC704zqhenSzW1nm7XMiVABEoIFc=
                                                                                                                                                                                                          MIME-Version1.0

                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                          Icon Hash:46070c0a8e0c67d6

                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                          No network behavior found

                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                          Start time:09:29:48
                                                                                                                                                                                                          Start date:25/11/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml"
                                                                                                                                                                                                          Imagebase:0x750000
                                                                                                                                                                                                          File size:34'446'744 bytes
                                                                                                                                                                                                          MD5 hash:91A5292942864110ED734005B7E005C0
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                          Start time:09:29:59
                                                                                                                                                                                                          Start date:25/11/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6065E1BF-B448-4729-B690-738CE56980DD" "50158EAA-599F-457C-81F0-955AD51B0BD7" "7440" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                                                                                                                                                                                          Imagebase:0x7ff6f3880000
                                                                                                                                                                                                          File size:710'048 bytes
                                                                                                                                                                                                          MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                          No disassembly