Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9oKqST-uPDy7iigkXM-C5J2.eml

Overview

General Information

Sample name:9oKqST-uPDy7iigkXM-C5J2.eml
Analysis ID:1562877
MD5:32161bb2b1abdd04ce207033fbf339cd
SHA1:6aab3cfb4975ca8a04bed3d5616bf8f04e433b7b
SHA256:1d97732cf7ef7f8cc9bf8b57e36996e61e568563f5c5ca4ebe6fdfb14333753e
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected potential phishing Email
Machine Learning detection for sample
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Sigma detected: Suspicious Office Outbound Connections
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7364 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\9oKqST-uPDy7iigkXM-C5J2.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7756 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "909F8203-86CF-4645-BECD-9B51F3F5FCE2" "C09C1B24-C44F-467A-9AB2-5232C5339FAF" "7364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Outlook Security Settings Updated - Registry
Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GDW5G7JO\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49740, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, Initiated: true, ProcessId: 7364, Protocol: tcp, SourceIp: 52.113.195.132, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-26T08:20:47.616660+010020283713Unknown Traffic192.168.2.44974052.113.195.132443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: 9oKqST-uPDy7iigkXM-C5J2.emlJoe Sandbox ML: detected

Phishing

barindex
AI detected potential phishing Email
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email contains a suspicious RAR attachment, which is an uncommon and potentially dangerous format for legitimate business documents. Generic 'Sir/Ma' greeting suggests mass-sending rather than legitimate business communication. The urgency to release payment combined with request for sensitive financial documents (TDS certificate) is a common phishing tactic
Source: unknownHTTPS traffic detected: 52.113.195.132:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: Joe Sandbox ViewIP Address: 52.113.195.132 52.113.195.132
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 52.113.195.132:443
Source: global trafficHTTP traffic detected: GET /config/v2/Office/outlook/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7b7423E565-A626-48D4-A186-93E31FBB3F25%7d&Application=outlook&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=outlook.exe&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=7&LicenseSKU=ProPlus2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b059BD83B-3A9F-4761-BF21-FAE3AB004A61%7d&LabMachine=false HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipIf-None-Match: ""User-Agent: Microsoft Office 2014DisableExperiments: falseX-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130Host: ecs.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9oKqST-uPDy7iigkXM-C5J2.eml, ~WRS{B201CDCA-7415-455D-9F27-5DC14F7657E1}.tmp.0.drString found in binary or memory: http://www.wheel-done.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.aadrm.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.aadrm.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.cortana.ai
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.office.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.onedrive.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://api.scheduler.
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://app.powerbi.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://augloop.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://canary.designerapp.
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cdn.entity.
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://clients.config.office.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://clients.config.office.net/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cortana.ai
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cortana.ai/api
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://cr.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://d.docs.live.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://dev.cortana.ai
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://devnull.onenote.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://directory.services.
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ecs.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://graph.windows.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://graph.windows.net/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://invites.office.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://lifecycle.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://login.windows.local
Source: OUTLOOK_16_0_16827_20130-20241126T0220390027-7364.etl.0.drString found in binary or memory: https://login.windows.localT
Source: OUTLOOK_16_0_16827_20130-20241126T0220390027-7364.etl.0.drString found in binary or memory: https://login.windows.localnull
Source: OUTLOOK_16_0_16827_20130-20241126T0220390027-7364.etl.0.drString found in binary or memory: https://login.windows.localnullsonD
Source: OUTLOOK_16_0_16827_20130-20241126T0220390027-7364.etl.0.drString found in binary or memory: https://login.windows.localo
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://make.powerautomate.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://management.azure.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://management.azure.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://messaging.office.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://mss.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ncus.contentsync.
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://officeapps.live.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://onedrive.live.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://outlook.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://outlook.office.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://outlook.office365.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://outlook.office365.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://planner.cloud.microsoft
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://res.cdn.office.net
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://service.powerapps.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://settings.outlook.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://staging.cortana.ai
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://substrate.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://syncservice.o365syncservice.com/"
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://wus2.contentsync.
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drString found in binary or memory: https://www.yammer.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownHTTPS traffic detected: 52.113.195.132:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: classification engineClassification label: mal48.winEML@3/25@0/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241126T0220390027-7364.etlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\9oKqST-uPDy7iigkXM-C5J2.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "909F8203-86CF-4645-BECD-9B51F3F5FCE2" "C09C1B24-C44F-467A-9AB2-5232C5339FAF" "7364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "909F8203-86CF-4645-BECD-9B51F3F5FCE2" "C09C1B24-C44F-467A-9AB2-5232C5339FAF" "7364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: 9oKqST-uPDy7iigkXM-C5J2.emlBinary or memory string: ZCbK9nZNHHNUSHVVsvRFYDWSMn7ibXCvheCex8KcNkmItWvMcI6vDd/TSrrtNzWze2bl/RvlngND
Source: 9oKqST-uPDy7iigkXM-C5J2.emlBinary or memory string: 4UiMDTrayt1E67u18Br6Z9WOGumNqzt7J95eBpjx4VmciuuDldKG6NDeXUoYJ1Emq7gTxGD39cm8
Source: 9oKqST-uPDy7iigkXM-C5J2.emlBinary or memory string: PrADUjH4x0eUpf84bSIQPtxxfD7tFt/MjmkulYmpyKBNHgfStZ0AuqouxyAx1Ul7hbwz1ZfAJVsy
Source: 9oKqST-uPDy7iigkXM-C5J2.emlBinary or memory string: Z03K4/9Jjld1yMJXQCVYzoZh00gJ8buOqY4ujcjflncSZ0wRzV1DQdzr4xuPQeMUmCTGVSvVkv31
Source: 9oKqST-uPDy7iigkXM-C5J2.emlBinary or memory string: WuWQCcUKTIEJHnwXqUzBJgxIMCIxUsRCC72nceqGbiDQeMU4ikuu5INa0Rhc2gfaAQaCEVnajHeg
Source: 9oKqST-uPDy7iigkXM-C5J2.emlBinary or memory string: JrJQDhmVyTPiRqWj7DZGmM4RDfO2ieiNrV+6MlpXt9fAs9jK2R48UVbXrb8N7yzw3h7qh7FhgfsR
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS13
System Information Discovery		Distributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
9oKqST-uPDy7iigkXM-C5J2.eml100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://login.windows.localo0%Avira URL Cloudsafe
https://login.windows.localnullsonD0%Avira URL Cloudsafe
http://www.wheel-done.com/0%Avira URL Cloudsafe
http://www.wheel-done.com/0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.s-dc-msedge.net
52.113.195.132
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
      		high
      https://login.microsoftonline.com/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
        		high
        https://shell.suite.office.com:14438A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
          		high
          https://designerapp.azurewebsites.net8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
            		high
            https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
              		high
              https://autodiscover-s.outlook.com/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                		high
                https://useraudit.o365auditrealtimeingestion.manage.office.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                  		high
                  https://outlook.office365.com/connectors8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                    		high
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                      		high
                      https://cdn.entity.8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                        		high
                        https://api.addins.omex.office.net/appinfo/query8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                          		high
                          https://clients.config.office.net/user/v1.0/tenantassociationkey8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                            		high
                            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                              		high
                              https://login.windows.localnullOUTLOOK_16_0_16827_20130-20241126T0220390027-7364.etl.0.drfalse
                                		high
                                https://powerlift.acompli.net8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                  		high
                                  https://rpsticket.partnerservices.getmicrosoftkey.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                    		high
                                    https://lookup.onenote.com/lookup/geolocation/v18A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                      		high
                                      https://cortana.ai8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                        		high
                                        https://login.windows.localnullsonDOUTLOOK_16_0_16827_20130-20241126T0220390027-7364.etl.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                          		high
                                          https://api.powerbi.com/v1.0/myorg/imports8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                            		high
                                            https://notification.m365.svc.cloud.microsoft/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                              		high
                                              https://cloudfiles.onenote.com/upload.aspx8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                		high
                                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                  		high
                                                  https://login.windows.localoOUTLOOK_16_0_16827_20130-20241126T0220390027-7364.etl.0.drfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://entitlement.diagnosticssdf.office.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                    		high
                                                    https://api.aadrm.com/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                      		high
                                                      https://ofcrecsvcapi-int.azurewebsites.net/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                        		high
                                                        https://canary.designerapp.8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                          		high
                                                          https://ic3.teams.office.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                            		high
                                                            https://www.yammer.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                              		high
                                                              https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                		high
                                                                https://api.microsoftstream.com/api/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                  		high
                                                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                    		high
                                                                    https://cr.office.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                      		high
                                                                      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                        		high
                                                                        https://login.windows.localTOUTLOOK_16_0_16827_20130-20241126T0220390027-7364.etl.0.drfalse
                                                                          		high
                                                                          https://messagebroker.mobile.m365.svc.cloud.microsoft8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                            		high
                                                                            https://otelrules.svc.static.microsoft8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                              		high
                                                                              https://portal.office.com/account/?ref=ClientMeControl8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                		high
                                                                                https://clients.config.office.net/c2r/v1.0/DeltaAdvisory8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                  		high
                                                                                  https://edge.skype.com/registrar/prod8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                    		high
                                                                                    https://graph.ppe.windows.net8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                      		high
                                                                                      https://res.getmicrosoftkey.com/api/redemptionevents8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                        		high
                                                                                        https://powerlift-frontdesk.acompli.net8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                          		high
                                                                                          https://officeci.azurewebsites.net/api/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                            		high
                                                                                            https://sr.outlook.office.net/ws/speech/recognize/assistant/work8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                              		high
                                                                                              https://api.scheduler.8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                		high
                                                                                                https://my.microsoftpersonalcontent.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                  		high
                                                                                                  https://store.office.cn/addinstemplate8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                    		high
                                                                                                    https://api.aadrm.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                      		high
                                                                                                      https://edge.skype.com/rps8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                        		high
                                                                                                        https://outlook.office.com/autosuggest/api/v1/init?cvid=8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                          		high
                                                                                                          https://globaldisco.crm.dynamics.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                            		high
                                                                                                            https://messaging.engagement.office.com/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                              		high
                                                                                                              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                		high
                                                                                                                https://dev0-api.acompli.net/autodetect8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                  		high
                                                                                                                  https://www.odwebp.svc.ms8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                    		high
                                                                                                                    https://api.diagnosticssdf.office.com/v2/feedback8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                      		high
                                                                                                                      https://api.powerbi.com/v1.0/myorg/groups8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                        		high
                                                                                                                        https://web.microsoftstream.com/video/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                          		high
                                                                                                                          https://api.addins.store.officeppe.com/addinstemplate8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                            		high
                                                                                                                            https://graph.windows.net8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                              		high
                                                                                                                              https://dataservice.o365filtering.com/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                		high
                                                                                                                                https://officesetup.getmicrosoftkey.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://analysis.windows.net/powerbi/api8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://prod-global-autodetect.acompli.net/autodetect8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://substrate.office.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                        		high
                                                                                                                                        http://www.wheel-done.com/9oKqST-uPDy7iigkXM-C5J2.eml, ~WRS{B201CDCA-7415-455D-9F27-5DC14F7657E1}.tmp.0.drfalse
                                                                                                                                        • 0%, Virustotal, Browse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://outlook.office365.com/autodiscover/autodiscover.json8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://consent.config.office.com/consentcheckin/v1.0/consents8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://notification.m365.svc.cloud.microsoft/PushNotifications.Register8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://d.docs.live.net8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://safelinks.protection.outlook.com/api/GetPolicy8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://ncus.contentsync.8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://syncservice.o365syncservice.com/"8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://weather.service.msn.com/data.aspx8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://apis.live.net/v5.0/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://officepyservice.office.net/service.functionality8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://templatesmetadata.office.net/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://messaging.lifecycle.office.com/8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://planner.cloud.microsoft8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://mss.office.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://pushchannel.1drv.ms8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://management.azure.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://outlook.office365.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://wus2.contentsync.8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://incidents.diagnostics.office.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://clients.config.office.net/user/v1.0/ios8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://make.powerautomate.com8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://api.addins.omex.office.net/api/addins/search8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E.0.drfalse
                                                                                                                                                                                                      		high

                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                      52.113.195.132
                                                                                                                                                                                                      		s-0005.s-dc-msedge.netUnited States
                                                                                                                                                                                                      		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                                                                                                                      General Information

                                                                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                      Analysis ID:1562877
                                                                                                                                                                                                      Start date and time:2024-11-26 08:19:41 +01:00
                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                      Overall analysis duration:0h 4m 54s
                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                      Number of analysed new started processes analysed:8
                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                                      Sample name:9oKqST-uPDy7iigkXM-C5J2.eml
                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                      Classification:mal48.winEML@3/25@0/1
                                                                                                                                                                                                      EGA Information:Failed
                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                      • Found application associated with file extension: .eml

                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                                                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 52.109.89.18, 69.192.160.109, 52.109.89.19, 20.189.173.28, 23.32.238.193, 23.32.238.185
                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, weu-azsc-000.roaming.officeapps.live.com, weu-azsc-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, ocsp.digicert.com, onedscolprdwus18.westus.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, config.officeapps.live.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.c
                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                      No simulations

                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                      IPs

                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      52.113.195.132PVJ6cLZQ0T.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        3e5cb809-f546-fb3c-b0e3-5de228b453ab.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                          docx008.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            docx002.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              docx009.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                docx007.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    INVOICE.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      Quarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                        KEMPER NORTH AMERICA WIRE REMITTANCE.xlsxGet hashmaliciousHTMLPhisherBrowse

                                                                                                                                                                                                                          Domains

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          s-0005.s-dc-msedge.netPVJ6cLZQ0T.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          3e5cb809-f546-fb3c-b0e3-5de228b453ab.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          docx008.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          docx002.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          docx009.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          docx007.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          INVOICE.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          Quarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          KEMPER NORTH AMERICA WIRE REMITTANCE.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • 52.113.195.132

                                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSjlPBMMQbXC.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                                                                                          • 13.107.136.10
                                                                                                                                                                                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                          • 204.79.197.203
                                                                                                                                                                                                                          file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                          • 23.101.168.44
                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                          • 13.107.246.63
                                                                                                                                                                                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                          • 20.75.60.91
                                                                                                                                                                                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                          • 94.245.104.56
                                                                                                                                                                                                                          FW Expiration Pending Support Care HIPAA Acknowledgement Form 2024.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.109.76.243
                                                                                                                                                                                                                          https://app.useblocks.io/getemail/48034?secret_hash=d1541dc5be135b2d0f39c0711cecbe46&raw=trueGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                                                                                                                                                          • 13.107.246.63
                                                                                                                                                                                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                          • 51.104.15.253
                                                                                                                                                                                                                          https://docs.google.com/drawings/d/1rnJTD83ySW2kuilnF4J1ffAp0B5BM7BM0Nvi8F8BbSI/preview?pli=1HeatherMitchell-andrew.tokar@overlakehospital.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • 52.98.61.50

                                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          a0e9f5d64349fb13191bc781f81f42e11m181Ru74o.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          jlPBMMQbXC.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          qqig1mHX8U.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          nft438A5fN.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          6BE4RDldhw.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          AnyDesk.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                          • 52.113.195.132
                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                          • 52.113.195.132

                                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):231348
                                                                                                                                                                                                                          Entropy (8bit):4.378393144690381
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:4igXHHgTmiGu2IqoQ3rt0FvfzFRH2T4CZ:4d6mi2V2FRHe40
                                                                                                                                                                                                                          MD5:05F6F438B9B44C1F436C27248924D1AA
                                                                                                                                                                                                                          SHA1:7D92FC236D8C1BA940228340B73967BCE28BEA97
                                                                                                                                                                                                                          SHA-256:1CDA412D2166B034EAEC3805F399D4789FE44B1149C8E1DB4DAE0967ECE9A276
                                                                                                                                                                                                                          SHA-512:543559ACA0B9AADF2622F8A0FCC46755796DD3839C121710C9545AAA7184173D3CF62358930BE62A88E0050DCCE5EA1823019AED6487F1FA97DE02F5D2E08CA3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Preview:TH02...... ....?......SM01X...,....L..?..........IPM.Activity...........h...............h............H..hT.O......?a....h............H..h\jon ...ppDa...h....0.....O....h.=.............h........_`.j...h.<..@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. hl.t......O...#h....8.........$h........8....."h.......`.....'h..l...........1h.=..<.........0h....4.....j../h....h......jH..h....p...T.O...-h .........O...+hL:......H.O................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):521377
                                                                                                                                                                                                                          Entropy (8bit):4.9084889265453135
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
                                                                                                                                                                                                                          MD5:C37972CBD8748E2CA6DA205839B16444
                                                                                                                                                                                                                          SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
                                                                                                                                                                                                                          SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
                                                                                                                                                                                                                          SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                                                                          Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):773040
                                                                                                                                                                                                                          Entropy (8bit):6.55939673749297
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
                                                                                                                                                                                                                          MD5:4296A064B917926682E7EED650D4A745
                                                                                                                                                                                                                          SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
                                                                                                                                                                                                                          SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
                                                                                                                                                                                                                          SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                                                                          Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):322260
                                                                                                                                                                                                                          Entropy (8bit):4.000299760592446
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
                                                                                                                                                                                                                          MD5:CC90D669144261B198DEAD45AA266572
                                                                                                                                                                                                                          SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
                                                                                                                                                                                                                          SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
                                                                                                                                                                                                                          SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                          Size (bytes):10
                                                                                                                                                                                                                          Entropy (8bit):2.721928094887362
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:LCQTQW:UW
                                                                                                                                                                                                                          MD5:403A85560AF086E8C1B382A4A64AE41C
                                                                                                                                                                                                                          SHA1:D6C7008D5F27720B03E1A69336F7F4CE48FB7149
                                                                                                                                                                                                                          SHA-256:9DB0ADC29B95AE1D02D45CBCA4F2888FE599C72B1CFBB24FB2DC83948AD6A7C8
                                                                                                                                                                                                                          SHA-512:5F9949B70044989D5B52F3C357951F289231718056C18CF189652A6BF9DBDE062640AAF50218AB79A338EECC4BE66621C9C7A16279D4DC928DE7290B99CF3704
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:1732605653

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8A28E2F7-C2F3-4175-B6AD-1A4D4859E09E

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):181859
                                                                                                                                                                                                                          Entropy (8bit):5.295310497438809
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:Qi2XfRAqSbH4wglE6Le7HW8Qjj/o/NMOcAZl1p5ihs7EXXNEADpOBIa5YdGVF8St:ode7HW8Qjj/o/aXSbTx
                                                                                                                                                                                                                          MD5:0096F9EE2BCFD40FD6C3DE2E2663F734
                                                                                                                                                                                                                          SHA1:BB90B2A760C4212AA628F272C2D10ACD0338CF27
                                                                                                                                                                                                                          SHA-256:A0769009C0940B148EFADC2B96F118F012F04A5B9FD200E72C888540E3652CC8
                                                                                                                                                                                                                          SHA-512:0C71B1950B675A827394D7A1B0C640284FB8181A09B7FAB647E5BDB7F5366F5741DB1B1A42AE3795FB8A265E89B816E411AD9EA181D4A525BD3D00D251713044
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-11-26T07:20:44">.. Build: 16.0.18312.40138-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):4096
                                                                                                                                                                                                                          Entropy (8bit):0.09216609452072291
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:lSWFN3l/klslpF/4llfll:l9F8E0/
                                                                                                                                                                                                                          MD5:F138A66469C10D5761C6CBB36F2163C3
                                                                                                                                                                                                                          SHA1:EEA136206474280549586923B7A4A3C6D5DB1E25
                                                                                                                                                                                                                          SHA-256:C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
                                                                                                                                                                                                                          SHA-512:9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:SQLite Rollback Journal
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):4616
                                                                                                                                                                                                                          Entropy (8bit):0.13700485453793962
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:7FEG2l+h1El/FllkpMRgSWbNFl/sl+ltlslVlllfllh/:7+/lUSg9bNFlEs1EP/R/
                                                                                                                                                                                                                          MD5:34FCBB83132E7E1480BBB1B19E4CB563
                                                                                                                                                                                                                          SHA1:19A9100780166710CBD7DDBA31372D48953B428C
                                                                                                                                                                                                                          SHA-256:470BA7063F386B879E2721A106AC93E0D66AC5E505A5EB8BDBB253BFAB9A247A
                                                                                                                                                                                                                          SHA-512:E7A28A00E045EF5CFD0CB64B22396A9E910991866737010FE4D61F7C3A61631E256554A1F9C907CBBBA126CBE8470312B2BECEFFF4EBF52E65CE4D3205D7F80C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.... .c.....-.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                          Entropy (8bit):0.04469833793377624
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:G4l25hANI69oCl25hANI6l1WlL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2Pv1Cl2Pv3L9XXPH4l942U
                                                                                                                                                                                                                          MD5:3F7F1EAF2A581C087AC831B2BCC8C17F
                                                                                                                                                                                                                          SHA1:ADD3636C336ABC23F46C85F038D287EEC2C99E2A
                                                                                                                                                                                                                          SHA-256:81ADF78F2381BAAB15415BD2013121376DD880B2A467C37EC31980438B272069
                                                                                                                                                                                                                          SHA-512:6BD28E97798461BA0A1F893E1FA6B94FF7213E4DB3860D2B12211FEC56007567AE75F10AD7F12AFCB01764A80C17C7AEEA50E078F036B83A25A7C0980537E0C5
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:..-.......................]:.}xQ...^l....9;.....-.......................]:.}xQ...^l....9;...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):45352
                                                                                                                                                                                                                          Entropy (8bit):0.39538014777429875
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:KBRTQ3zRDpUll7DBtDi4kZERDe/rzqt8VtbDBtDi4kZERDI:6RTQ1tUll7DYMa/rzO8VFDYM
                                                                                                                                                                                                                          MD5:B90AE53FB4FB89D475D5918EB70EA136
                                                                                                                                                                                                                          SHA1:F5F76A3D5168975E905F78836EE4E4B6B7329A43
                                                                                                                                                                                                                          SHA-256:73FE6731C9818FF03A4FCAE78C349C83A408941D1C68B71F5F9086249ED4F52D
                                                                                                                                                                                                                          SHA-512:BBE54804490DC3A17E51A543C92DDCAF9DD5D8A9736BB3B68E54913EF9BB88E14CA434AEE4AEA6AC5007C7F97C7BD21A6E2BE61EB094B701D579F9766FE2DE6D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:7....-.............^l.....3..D...........^l.....$"6JSQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2278
                                                                                                                                                                                                                          Entropy (8bit):3.857045534133364
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:uiTrlKxsxxz7xl9Il8uWmD6pXqEG2MIo/ufapOW1Bd1rc:vTfYxupXpGv/1Di
                                                                                                                                                                                                                          MD5:9F3D6E469C90EBD83CAAF64EF9F2E307
                                                                                                                                                                                                                          SHA1:E179B3BFE3FB301ABD6A7C679A9236EB62587326
                                                                                                                                                                                                                          SHA-256:9E8CC71F187CCACBBDA7090D338C8921AECE1654759591DFF277F60851BF5770
                                                                                                                                                                                                                          SHA-512:731F936831FC3FC942A0551516647AC0C7FB2B44A4E18CBE8BD4DF3698F8EEA0E1B9E7E1D714D56221277B22A45542069F0618435436A2ED866D2FF1B1212435
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.G.w.S.F.9.w./.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.N.f.k.U.a.e.

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2684
                                                                                                                                                                                                                          Entropy (8bit):3.907140306999004
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:uiTrlKxJxjqxl9Il8u1+Dl0RfmVKg/jZjb3o7SXB8QiZhW8Od/vc:OuYC50ROVKCZY7SmQi+8b
                                                                                                                                                                                                                          MD5:79DDD19D96CD987E446C8C1AF842AD7D
                                                                                                                                                                                                                          SHA1:7E74D2FE546F4546179AE1C207DDF2E7859A44F5
                                                                                                                                                                                                                          SHA-256:5DBBAA54488D84D2FC43A4B829C1BB07ED6420F95109B277FA1E911743E9BB42
                                                                                                                                                                                                                          SHA-512:66F7DA9493326D5B5D4CADFDA33D154A1D12036D7A28C422CB01B97D51E43A9E98B2036D4ECD042639732A79BAFFFB322E4713F04F3E8AF8791DCA93DF7DA044
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".F.U.i.P.L.6.V.e.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.N.f.k.U.a.e.

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GDW5G7JO\Wheel-done (Shenzhen) Logistics Co. Ltd. WCA.jpg

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 677x63, components 3
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8532
                                                                                                                                                                                                                          Entropy (8bit):7.9477819663639035
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:jRms1Wb1wgumaYhfheVQDd1b0pcTn18m66c:lq1huAfeUrb0pHEc
                                                                                                                                                                                                                          MD5:FEA7C7CCC36C1042A4CA33733DD780AD
                                                                                                                                                                                                                          SHA1:F654C8207920BB453B3127C9B9DE2B8C0D4C7EE9
                                                                                                                                                                                                                          SHA-256:22BB2EEE11026EF1FA89B13A4D1DEF4DD8CE3016FC6D7647383B490DE5FEA1B0
                                                                                                                                                                                                                          SHA-512:363968FB7260FA926B645C74858682EB609B553E7ACFE8326F7625CEBBBA18BFA12D28C92995651207473BBA438034853CBB35D107FCB8C06A05111A6611936D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:......JFIF...................................................%... ....+. 0%((*..-1,(0"'(&...........&...&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&......?.............................................A........................!..1A."Qa.2q..#.BRb........3r....%5Ct.................................'.........................!"1..AQ.2C..............?.......P#4.f.J..Ju ....UF.P*B.@.PEF....e=@..H.i..Q...R.....@.TL.......@.P3A..#I.Q%..@.P(.....@.P(.....@.P(.....RQ...*v...(........A.D...P...4...I......V.k..u...W..^j..k.U.a]..@.P(".E.....-......qW.w..%......y..%.^R{Wi.,..X..%....q./C......Q...$..I9>.mS.u.).^..5Wj.MU).............o...9.H.F.....=:..zW|X&....8....$.G./]...N...=.l.$+l...l..=.....Z=J...T....f':q.#..\.`.m..r...J.O8.A.g.d.K...#.....`..f=w.E..-........\....~Hw...l>......RN../..,....L.8.....w.....?H.......U?...+... |.9...n=u..]|5aQ .M..@...In.s..P...p7.*b..1.#q...B....@.PEI.<.N....X..N.P.M..@.P(.....@.P(.....@.P(...W...Pxr"6z.m >....zWn..f...g...@.A.H...V9?..

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GDW5G7JO\Wheel-done (Shenzhen) Logistics Co. Ltd. WCA.jpg:Zone.Identifier

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:gAWY3n:qY3n
                                                                                                                                                                                                                          MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                                                                                                                                                                                          SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                                                                                                                                                                                          SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                                                                                                                                                                                          SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:[ZoneTransfer]..ZoneId=3..

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GDW5G7JO\Wheel-done (Shenzhen) Logistics Co. Ltd_.jpg

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 147x108, components 3
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):3552
                                                                                                                                                                                                                          Entropy (8bit):7.849646070403211
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:96:EYTfnpcJeaiNQ/Nftz/l8c0Sy9mVSizxc5YIXzxc0:EYraDFEAVSidc5Yac0
                                                                                                                                                                                                                          MD5:A28D067A60A080A2FBA83EA85946C633
                                                                                                                                                                                                                          SHA1:1C43EB2B5C1762DED233FE11F73E53F76A245CBB
                                                                                                                                                                                                                          SHA-256:182AD4638C7B00751E5CF5333B8F08A1ED84431E6B6703D5DC749707375AC818
                                                                                                                                                                                                                          SHA-512:81F131A02F19744D3E11E9AABBCC8B7F701398F9AB1865E13F94B64341CDBA51C8B83534E11E459AFB907A7C74F87D3BD05A83B28F1731B432ECB622649E3300
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:......JFIF..................................................."...%....+. 0&()(..11,&0"'((...........&...&&''&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&'&&&'&&&&0&'&&......l............................................>...........................!."1Aa2Qq...#...Rr.....TU...3BCb................................$.......................!.1.A."Q#Ba............?........@.P(....,._`...p.)....(}....q.m..v.esp ....jB...|t...3I...f.TX.P(.....@.P(.......1.G.'.Umh.nSZ.P...c<.;4.c..#_...}k.<.........x..yf..#...W..O.=.&.)PH.@eS..3......kDkn.DL...t8l....c.q....c.I$.ffw(..J.%..@.P(..Gl.........#...........O./3..c<_=.W.]Je.6V...F.....O....Rv.+...k.wwo|.....H.}.z..Fr......X.cr..m.q<..O..L..#+3c%H....#.T.N3...*.g.R..6.V....<.e.5qW....l..R;U.....,..8.w$.QG.~.!.....d..U......=.U...m....kj.#E....H9s...^...q.V!.3...y....CWC._;z:...Z...R.x[.l....Pzs.......++`.-...kK..E.'W..U.....W<.>.....@.Pi....i....`J.....w..i.uem.)^.5.F.....Z#......:......{t.q.r'..i.n..T...u;..-w.WL'.n.C^....%.`{..Y>.

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GDW5G7JO\Wheel-done (Shenzhen) Logistics Co. Ltd_.jpg:Zone.Identifier

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:gAWY3n:qY3n
                                                                                                                                                                                                                          MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                                                                                                                                                                                          SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                                                                                                                                                                                          SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                                                                                                                                                                                          SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:[ZoneTransfer]..ZoneId=3..

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B201CDCA-7415-455D-9F27-5DC14F7657E1}.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7200
                                                                                                                                                                                                                          Entropy (8bit):3.739058695549538
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:7DsPJh6jQK6iqSwB444ww/XWuGeZByOwww889kxWZqCMDpltfotNFPPPPPt21VBG:+h6jQl444ww/5www2x4b2HLsB/031o
                                                                                                                                                                                                                          MD5:0647E909C0C0B986C36B6A52E83DA607
                                                                                                                                                                                                                          SHA1:3E86D39EB0F72556CAF4B6C06C746F7BE8D23448
                                                                                                                                                                                                                          SHA-256:88A23F754A16F7C00BB6D90B9BAF56677552700A60446771852D004056D0D6CB
                                                                                                                                                                                                                          SHA-512:A1D00AD663A96F332BCE438A03719485BBB1B2114F21E1D0EE2C0346A1BB3C5317F47249F387563C3309559F400F2BD800A34F41BF5FAFEEBE55264CFDD1E278
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:....D.e.a.r. .S.i.r./.M.a.,.......f.r.o.m. .0.1./.0.9./.2.0.2.4. .t.i.l.l. .d.a.t.e.,...K.i.n.d.l.y. .r.e.l.e.a.s.e. .p.a.y.m.e.n.t.........N.O.T.E.:.-...I.F. .T.H.E.R.E. .H.A.V.E. .B.E.E.N. .A.N.Y. .D.E.D.U.C.T.E.D. .T.D.S.,. .P.L.E.A.S.E. .I.S.S.U.E. .T.H.E...T.D.S. .C.E.R.T.I.F.I.C.A.T.E. .&. .L.E.D.G.E.R...A.C.=.O.R.D.I.N.G.L.Y..................................................................................................................................................................................................."...X...........T...X...h...............................D.......(.......n.......T......................................................................................................................................................................................................................................................................................................................................dJ........$..dJ.....d...d.[$.\$.a$.............[$.\$.......d...d.

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732605639436998800_059BD83B-3A9F-4761-BF21-FAE3AB004A61.log

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):20971520
                                                                                                                                                                                                                          Entropy (8bit):0.010938669587263469
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:HxqHTRVtCQKuRP98cUqrI3j3hPQVZyXVUMywB:HxqHTRX1D6cUqrI3j31QVZyXVTLB
                                                                                                                                                                                                                          MD5:9114E4B4AC9B15E907358EAE42E50EE0
                                                                                                                                                                                                                          SHA1:D7CA4F00D74577CE0EC403F298C1847596AAB6CF
                                                                                                                                                                                                                          SHA-256:4B3319C60D4DFAE6E098276364392AC42F4FB5CFEB56083A070F4899600AF06B
                                                                                                                                                                                                                          SHA-512:4BC191FE1BF70A0E2D40A944BDEA35EF8168C4DB9A6364D7ED3773F2C6020BD7893F26E89E01D2756B1EA8BDD4A79C050CFDC1A5EC4BC6F0B000CF22952FFEB5
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/26/2024 07:20:40.965.OUTLOOK (0x1CC4).0x1CC8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.System.GracefulExit.GracefulAppExitDesktop","Flags":33777014402039809,"InternalSequenceNumber":17,"Time":"2024-11-26T07:20:40.965Z","Data.PreviousAppMajor":16,"Data.PreviousAppMinor":0,"Data.PreviousAppBuild":16827,"Data.PreviousAppRevision":20130,"Data.PreviousSessionId":"66186DAD-573F-49FC-B763-E8B604FC712A","Data.PreviousSessionInitTime":"2024-11-26T07:20:21.448Z","Data.PreviousSessionUninitTime":"2024-11-26T07:20:25.058Z","Data.SessionFlags":2147483652,"Data.InstallMethod":0,"Data.OfficeUILang":1033,"Data.PreviousBuild":"Unknown","Data.EcsETag":"\"\"","Data.ProcessorArchitecture":"x64"}...11/26/2024 07:20:41.058.OUTLOOK (0x1CC4).0x1D5C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":23

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732605639438245600_059BD83B-3A9F-4761-BF21-FAE3AB004A61.log

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):20971520
                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                          MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                                                                                          SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                                                                                          SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                                                                                          SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241126T0220390027-7364.etl

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):163840
                                                                                                                                                                                                                          Entropy (8bit):4.827722160357581
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:yiY4iWQ9so6YeP2CpnQWkoEqQh1vWKSRc+dzimfVKbVJbnipXnX4:NY4iWQ+owql2XnI
                                                                                                                                                                                                                          MD5:46DDD52F60383F78073D04A92CDE04D9
                                                                                                                                                                                                                          SHA1:B68B59FC40FFE78CC235A17AF9D9A759FFDC5A83
                                                                                                                                                                                                                          SHA-256:9E60EFDB454F6A02C5B129239142A2585566C9881B6352A4F8EA4DDAD13E5879
                                                                                                                                                                                                                          SHA-512:697F1127CF0E7BFBF5365E1B774D3B3966BDD224B60DCB9C4CB580751B32A9768F7204593818A869FF379880E24F60CCE1E1739BF8AFCB5DFF24E1818FFA8CEA
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:............................................................................b................?..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................L..................?..........v.2._.O.U.T.L.O.O.K.:.1.c.c.4.:.3.4.0.3.d.a.2.d.c.c.e.a.4.d.8.4.9.2.0.a.0.3.d.4.c.1.c.4.f.a.b.3...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.1.2.6.T.0.2.2.0.3.9.0.0.2.7.-.7.3.6.4...e.t.l.............P.P.........-....?..................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\olkB1F1.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):469678
                                                                                                                                                                                                                          Entropy (8bit):7.999361521192208
                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                          SSDEEP:12288:9TP5FIMYjtMkgF1YBMLJdJvBdnwbHwp27eBJlAxR:ZOCrF1YBMLHJJhwbHPECP
                                                                                                                                                                                                                          MD5:DA899B953023E7CB5FA257CEB71E8497
                                                                                                                                                                                                                          SHA1:1735B4BC25F49D54E852C5275B9A16C31970D26A
                                                                                                                                                                                                                          SHA-256:7A62D17719BC83C5D7893E7B79BCE3324A79F4C2A127D7817DB06D8FA0BE1442
                                                                                                                                                                                                                          SHA-512:D4518B9D7232914D8B5192B73F8E47BA37F030465E2F585DF3B994E4503346BF8CD8D2696AEAC2856281CB23A58836B2A697EDB5FF7C88BAD9F207DBBD0AD744
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.M.3...m...8..C...i.0X...,...gk.6.=...>|...0.....S.2.9P..Ev.Z|.....3.....rl......cY...=$N..1e;.k.....)mB..k .Qd4e...na......%._.r.....4`.....=S.3.`;..fIl'...3.B@..]&)Q..@..'...n...Z'}...+%9D.[........aq..9u."=A.L..5...u.UMP.B<..&.dn.....'....D..``.)1x...J.6.1.@..gn6..=....}h....#3.r)..y...M...d..~..\.../..5su...H5%..G|.&V..i'..8..X..<...>.+.IC....O_|_......'.:.6..s.EdY..Z...a.......w.Z..M.....4.Y....CI.._3..xt42........n6._.........p..r1..|.....k...n..qwI.....B9.[$....^<u.....B...v..\(ZI..p..!.R....815T...K.s.H..z..}8O.}..4m...w...6.[.k..pmr..o...@k.+.A. ........e.i.. ._=.y.S.l...(....X98..7.r.9{.G.,.n..>..%..q.GK....y\.l...ZG......p.][~....:..2S+......dI..p.?.fe...{.........R.....zQ.xK...\.]..X..ze..iM...E.I*P.=.....P......L..Z.q..F5.."...%.T..|...-....^.. ad.u=.P.....~....D..cQ+...i~.$....,.....,..;?...=.kv.@.. ...d.](.7N.^._ .@...3?.E..0?(..K...O...*r.....:XT-....&....c.h!.c)....W.y.....o.\.O.#Z...e,....1b.OP.M."l!2`.?...-1v..$]d.#P.(%.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):30
                                                                                                                                                                                                                          Entropy (8bit):1.2389205950315936
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:tHzX:
                                                                                                                                                                                                                          MD5:794C1C7746C3ABECB50882A0DECF5729
                                                                                                                                                                                                                          SHA1:E52EB86FE6A0E93D94328966063CC58B113B86E8
                                                                                                                                                                                                                          SHA-256:FF6F7D5B26BDF5F8668DE91DAED3CE6E459A53C9625B504EFCFF3259B733311F
                                                                                                                                                                                                                          SHA-512:62C873BB90B3BF56AECAAD2E4E525A4BF9AFE8FEF0B9EEDE8DBFDFDF629BD69663DBD6D44A14965C7645542D61239459A7C465109B8CC1B05B476FB1F442C9FF
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:..............................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):16384
                                                                                                                                                                                                                          Entropy (8bit):0.670315011971925
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:rl3baFwckqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCM5ow:r8mnq1Py961M5t
                                                                                                                                                                                                                          MD5:EE0BFF0FEFC5CC1E9B1335B9568EEFB8
                                                                                                                                                                                                                          SHA1:DAE844B227FFDDB2E9F50EAC0ABDBB8715D42F23
                                                                                                                                                                                                                          SHA-256:53F16520DC00D73E8140CC85EAC4E9D2285534760429B5EA1FC50DB88049A382
                                                                                                                                                                                                                          SHA-512:818E7DED5FE4193B31202A5F721BA9B9C3E4F1F79FF6FBEBD0FD3D0E18B50687B9C1BB174BA385704F2DD95238DEDB4BF0919B4CB5FDE5018B377D3F5620B3DE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:Microsoft Outlook email folder (>=2003)
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):779264
                                                                                                                                                                                                                          Entropy (8bit):7.554006904827968
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:mG1GvwnpkX3jCZqP2y4iQTM8hElo/14t2sdU4tH5VwRz7O9cFr2Ob:bTeX3j8qU/g8hit2WUqZmRO
                                                                                                                                                                                                                          MD5:10A99648D4EE0957B59F78C3C8834661
                                                                                                                                                                                                                          SHA1:EE01B68A0687C0133E4BC7E69BC8228E5F1E302E
                                                                                                                                                                                                                          SHA-256:7D0565817FD28D8EA129E687F6EF6CE4B170076501613973C2399BD1778D85F7
                                                                                                                                                                                                                          SHA-512:A3F8D38A563480DA5B10311D56A79CCDB43488F8DE73F3CBA56EAB767DF5DC752A2C18D1A152020E0A06A37C1AA96645CF114B2A9F43049F3977B958CA8403CF
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:!BDN=...SM......\...E...........F.......l................@...........@...@...................................@..........................................................................................@...............D...............A.....................................................................................................................................................................................................................................................................................................z..hq.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):786432
                                                                                                                                                                                                                          Entropy (8bit):7.242189874696234
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:Y2u6JVvcMMkVz6tSez2yjiQTy81xlo/EHN0s+tM5cwWzKNae2U:111Vz6oer/O81xN0hwjWIQU
                                                                                                                                                                                                                          MD5:C6E3079BF44D5976C34082C8E6234F45
                                                                                                                                                                                                                          SHA1:5584A17018F0AB43F10513848F665146B6062780
                                                                                                                                                                                                                          SHA-256:1459BD3968F61B36A3E659E24CCED8D63F2F19CB2A73B58E1C65D4BDB322CD92
                                                                                                                                                                                                                          SHA-512:DFD5743AF86394471950777E489CBD9AF00534BB87ACA215F642282B7108D96C3CC05D38E371445F1BFDC638AB2644D68EA8B33BF1746B3FE4851151A0E774B5
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:J.x.0....................?....................#.!BDN=...SM......\...E...........F.......l................@...........@...@...................................@..........................................................................................@...............D...............A.....................................................................................................................................................................................................................................................................................................z..hqJ.x.0....................?....................#.J.x.0....................?....................#.!BDN=...SM......\...E...........F.......l................@...........@...@...................................@..........................................................................................@...............D...............A............................................................................................

                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          File type:RFC 822 mail, ASCII text
                                                                                                                                                                                                                          Entropy (8bit):6.056904710411209
                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                          • E-Mail message (Var. 5) (54515/1) 100.00%
                                                                                                                                                                                                                          File name:9oKqST-uPDy7iigkXM-C5J2.eml
                                                                                                                                                                                                                          File size:845'579 bytes
                                                                                                                                                                                                                          MD5:32161bb2b1abdd04ce207033fbf339cd
                                                                                                                                                                                                                          SHA1:6aab3cfb4975ca8a04bed3d5616bf8f04e433b7b
                                                                                                                                                                                                                          SHA256:1d97732cf7ef7f8cc9bf8b57e36996e61e568563f5c5ca4ebe6fdfb14333753e
                                                                                                                                                                                                                          SHA512:cdcbe6a57ddde16e9ee8d0f993d20a141c136899ba34a1d02f0a891ae748f6f24ad7a1a47a81f0031d13fb43aae1574988cd011ee26d066d3bd7c852ab27a69b
                                                                                                                                                                                                                          SSDEEP:12288:7BLHSU7WJ0keMJ0BmFYA7zw2AyLDm3R9jIt+lMrY/0jX74q8IoM9pCkl/rai0:7h720ke+0Bu7w2rLaROc/0jLPPyo/p0
                                                                                                                                                                                                                          TLSH:A60523753F902896D71A8D1A66A37FBA07E63FDE95C39D9072A635C30CCDA40A45E308
                                                                                                                                                                                                                          File Content Preview:Received: from mail.yarn-textile.com ([103.129.203.138]:57054)..by gw-ip01-01.iprino.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384..(Exim 4.96)..(envelope-from <info1@yarn-textile.com>)..id 1tFllq-000000004Kq-2hIp;..Tue, 26 Nov 2024 03:57:54 +0100.

                                                                                                                                                                                                                          Static Mail

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Subject:Re: Re: Updated SOA_9828392091
                                                                                                                                                                                                                          From:"cacida@wheel-done.com" <cacida@wheel-done.com>
                                                                                                                                                                                                                          To:
                                                                                                                                                                                                                          Cc:
                                                                                                                                                                                                                          BCC:
                                                                                                                                                                                                                          Date:Tue, 26 Nov 2024 08:38:52 +0600
                                                                                                                                                                                                                          Communications:
                                                                                                                                                                                                                          • Dear Sir/Ma , Kindly find attached SOA from 01/09/2024 till date, Kindly release payment. NOTE:- IF THERE HAVE BEEN ANY DEDUCTED TDS, PLEASE ISSUE THE TDS CERTIFICATE & LEDGER ACCORDINGLY. Best Regards Cacida Li Manager Sea Exports Wheel-done (Shenzhen) Logistics Co., Ltd. : 4002A8B Add : 8B, Block A, Honglong Century Plaza, 4002 Shennan East Road, Guiyuan Street, Luohu District, Shenzhen 518001, P.R. China Web : [ http://www.wheel-done.com/ | www.wheel-done.com ] ----------------------------------------------------------------------------------- Tell: (+ 86 ) 0755-82234678-8019 Email: [ mailto:%C2%A0cacida@wheel-done.com | cacida@wheel-done.com ] Mobile/Whatsapp/WeChat: + 86 -13421309600 QQ:2034767452 WCA ID : 130582
                                                                                                                                                                                                                          Attachments:
                                                                                                                                                                                                                          • SOA_9828392091.rar

                                                                                                                                                                                                                          Headers

                                                                                                                                                                                                                          Key Value
                                                                                                                                                                                                                          Receivedfrom mail.yarn-textile.com (mail.yarn-textile.com [103.129.203.138]) by mail.yarn-textile.com (Postfix) with ESMTP id 108FE10049E45; Tue, 26 Nov 2024 08:38:54 +0600 (+06)
                                                                                                                                                                                                                          X-Virus-Scannedamavis at yarn-textile.com
                                                                                                                                                                                                                          DateTue, 26 Nov 2024 08:38:52 +0600
                                                                                                                                                                                                                          From"cacida@wheel-done.com" <cacida@wheel-done.com>
                                                                                                                                                                                                                          Message-ID<380072705.661395.1732588732463.JavaMail.zimbra@yarn-textile.com>
                                                                                                                                                                                                                          SubjectRe: Re: Updated SOA_9828392091
                                                                                                                                                                                                                          MIME-Version1.0
                                                                                                                                                                                                                          Content-Typemultipart/mixed; boundary="----=_Part_661364_1613174734.1732588731227"
                                                                                                                                                                                                                          X-Originating-IP[102.90.101.4]
                                                                                                                                                                                                                          X-MailerZimbra 8.8.15_GA_4581 (ZimbraWebClient - FF132 (Win)/8.8.15_GA_4581)
                                                                                                                                                                                                                          Thread-IndexhZKQN/d4j6TYMVfUR3cW683l4lDKzw==
                                                                                                                                                                                                                          Thread-TopicUpdated SOA_9828392091
                                                                                                                                                                                                                          X-Sophos-IBSsuccess
                                                                                                                                                                                                                          X-SASI-VersionAntispam-Engine: 6.0.0.1, AntispamData: 2024.11.26.22746
                                                                                                                                                                                                                          X-SASI-RCODE200
                                                                                                                                                                                                                          X-SASI-SpamProbability54%
                                                                                                                                                                                                                          X-SASI-HitsARCHIVE_ATTACHED 0.000000, BODYTEXTH_SIZE_10000_LESS 0.000000, BODYTEXTH_SIZE_3000_MORE 0.000000, BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_10000_PLUS 0.000000, BODY_SIZE_100K_PLUS 0.000000, BODY_SIZE_25K_PLUS 0.000000, BODY_SIZE_500K_PLUS 0.000000, BODY_SIZE_50K_PLUS 0.000000, BODY_SIZE_75K_PLUS 0.000000, FRAUD_ATTACH 0.050000, HREF_LABEL_TEXT_ONLY 0.000000, HTML_90_100 0.100000, IMG_ATTACHED_2P 0.000000, INVOICE_ARCHIVE 1.500000, INVOICE_ATTACHMENT 0.100000, JPG_COMMON_HEADER_ORDER 0.000000, JPG_PIXPERBYTE_LOW 0.000000, JPG_PIXPERBYTE_MED 0.000000, JPG_SPAMMY_Y_RESOLUTION 0.000000, LOCALE_CHINESE 0.000000, MISSING_HEADERS 0.000000, MULTIPLE_ATTACHMENTS 0.000000, NO_URI_HTTPS 0.000000, OBFUSCATION 0.000000, RAR_ATTACHED 0.100000, RAR_ATTACHED_EXEC 3.500000, RCVD_LOCALHOST_LOCALDOMAIN 0.000000, SENDER_NO_AUTH 0.000000, TO_MALFORMED 0.000000, WEBMAIL_SOURCE 0.000000, WEBMAIL_XOIP 0.000000, WEBMAIL_X_IP_HDR 0.000000, __ANY_URI 0.000000, __ATTACHMENT_NOT_IMG 0.000000, __ATTACHMENT_PHRASE 0.000000, __ATTACHMENT_SIZE_100K_PLUS 0.000000, __ATTACH_CTE_BASE64 0.000000, __ATTACH_CTE_QUOTED_PRINTABLE 0.000000, __BODY_TEXT_X4 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CHAR_CHINESE_UTF8 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000, __CTYPE_MULTIPART_MIXED 0.000000, __EMBEDDED_IMG 0.000000, __FRAUD_INTRO 0.000000, __FRAUD_MONEY_BIG_COIN 0.000000, __FRAUD_MONEY_BIG_COIN_DIG 0.000000, __FROM_ADDY_SHORT_LC 0.000000, __FROM_NAME_ADDRESS 0.000000, __FUR_HEADER 0.000000, __HAS_ATTACHMENT 0.000000, __HAS_ATTACHMENT1 0.000000, __HAS_ATTACHMENT2 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000, __HAS_MSGID 0.000000, __HAS_XOIP 0.000000, __HAS_X_MAILER 0.000000, __HELO_LOCALHOST 0.000000, __HELO_LOCALHOST1 0.000000, __HIDDEN_HTML_CONTENT 0.000000, __HIGHBITS 0.000000, __HIGHBIT_ASCII_MIX 0.000000, __HREF_LABEL_TEXT 0.000000, __HREF_LABEL_URI 0.000000, __HTML_AHREF_TAG 0.000000, __HTML_BOLD 0.000000, __HTML_ENTITIES_X4 0.000000, __HTML_FONT_RED 0.000000, __HTML_HREF_TAG_X2 0.000000, __HTML_TAG_DIV 0.000000, __HTML_TAG_IMG_X2 0.000000, __IMG_ATTACHED 0.000000, __IMG_SIZE_10K_50K 0.000000, __IMG_SIZE_1K_10K 0.000000, __IMG_THEN_TEXT 0.000000, __INT_PROD_LOC 0.000000, __INVOICE_MULTILINGUAL 0.000000, __JPG_HEIGHT_100 0.000000, __JPG_SPAMMY_Y_RESOLUTION_1 0.000000, __JPG_WIDTH_100 0.000000, __LINES_OF_YELLING 0.000000, __MIME_ATTACHMENT_1_N 0.000000, __MIME_ATTACHMENT_1_N_N_N 0.000000, __MIME_ATTACHMENT_N_2 0.000000, __MIME_ATTACHMENT_N_3 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000, __MULTIPLE_URI_TEXT 0.000000, __PART_TYPE_HTML 0.000000, __PHISH_PHRASE10_D 0.000000, __PHISH_SPEAR_GREETING 0.000000, __PHISH_SPEAR_STRUCTURE_1 0.000000, __PHISH_SPEAR_SUBJ_PREDICATE 0.000000, __RAR_ATTACHED1 0.000000, __RAR_ATTACHED2 0.000000, __RAR_ATTACHED3 0.000000, __RAR_ATTACHED_EXEC 0.000000, __RAR_ATTACHED_EXEC4 0.000000, __RCVD_FROM_SUSP_HOSTNAME 0.000000, __SANE_MSGID 0.000000, __STOCK_CRUFT 0.000000, __STOCK_PHRASE_24 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000, __TAG_EXISTS_BODY 0.000000, __TAG_EXISTS_HTML 0.000000, __URI_ENDS_IN_SLASH 0.000000, __URI_HAS_HYPHEN_USC 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000, __WHATSAPP_PHRASE 0.000000, __X_MAILER_ZIMBRA 0.000000, __X_VIRUS_SCANNED 0.000000

                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                          Icon Hash:46070c0a8e0c67d6

                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                          2024-11-26T08:20:47.616660+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44974052.113.195.132443TCP

                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                          Nov 26, 2024 08:20:46.005923986 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:46.005970955 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:46.006056070 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:46.006422997 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:46.006436110 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:47.616545916 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:47.616660118 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:47.957412004 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:47.957448006 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:47.957784891 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:47.959836006 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.007335901 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.658320904 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.658345938 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.658411980 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.658426046 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.658466101 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.690825939 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.690835953 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.690897942 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.690911055 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.707484961 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.707540989 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.707551956 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.707606077 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.871356010 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.871428013 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.871444941 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.902997017 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.903111935 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.903146029 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.924738884 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.924815893 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.924830914 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.942869902 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.942904949 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.942924023 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.942933083 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.942970037 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:48.988084078 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.062988997 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.063005924 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.063043118 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.063070059 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.063123941 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.076718092 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.076725960 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.076814890 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.076829910 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.089519024 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.089539051 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.089618921 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.089632988 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.105782032 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.105796099 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.105881929 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.105897903 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.118113041 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.118129015 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.118212938 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.118221998 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.134332895 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.134342909 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.134430885 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.134440899 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.184696913 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.184710026 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.184735060 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.184840918 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.184849024 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.184875965 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.200984001 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.200994015 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.201015949 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.201098919 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.201105118 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.201153994 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.266705036 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.266716003 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.266748905 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.266772032 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.266833067 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.276612043 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.276624918 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.276720047 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.276732922 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.276822090 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.279208899 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.288592100 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.288636923 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.288691998 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.288703918 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.288747072 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.298146963 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.298158884 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.298222065 CET4434974052.113.195.132192.168.2.4
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.298265934 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.298300028 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.325757027 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.325963020 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.328924894 CET49740443192.168.2.452.113.195.132
                                                                                                                                                                                                                          Nov 26, 2024 08:20:49.328943014 CET4434974052.113.195.132192.168.2.4

                                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                          Nov 26, 2024 08:20:45.988367081 CET1.1.1.1192.168.2.40xb266No error (0)s-0005.s-dc-msedge.net52.113.195.132A (IP address)IN (0x0001)false

                                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                                          • ecs.office.com

                                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          0192.168.2.44974052.113.195.1324437364C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-11-26 07:20:47 UTC813OUTGET /config/v2/Office/outlook/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7b7423E565-A626-48D4-A186-93E31FBB3F25%7d&Application=outlook&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=outlook.exe&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=7&LicenseSKU=ProPlus2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b059BD83B-3A9F-4761-BF21-FAE3AB004A61%7d&LabMachine=false HTTP/1.1
                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                          Accept-Encoding: gzip
                                                                                                                                                                                                                          If-None-Match: ""
                                                                                                                                                                                                                          User-Agent: Microsoft Office 2014
                                                                                                                                                                                                                          DisableExperiments: false
                                                                                                                                                                                                                          X-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130
                                                                                                                                                                                                                          Host: ecs.office.com
                                                                                                                                                                                                                          2024-11-26 07:20:48 UTC847INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Cache-Control: no-cache,max-age=14400
                                                                                                                                                                                                                          Content-Length: 146854
                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                          Expires: Tue, 26 Nov 2024 11:20:48 GMT
                                                                                                                                                                                                                          ETag: "XiARgKSR9sL92A9KBRhzvj3Wgy49b3YWMXo6mB8w7Ok="
                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                          X-Frame-Options: DENY
                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                                                                          Report-To: {"group":"NelEcsUpload1","max_age":604800,"endpoints":[{"url":"https://ecs.nel.measure.office.net?TenantId=Office&DestinationEndpoint=Edge-Prod-BL2r8c&FrontEnd=AFD"}],"include_subdomains":true}
                                                                                                                                                                                                                          NEL: {"report_to":"NelEcsUpload1","max_age":604800,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
                                                                                                                                                                                                                          X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                                                          X-MSEdge-Ref: Ref A: 2785063B10234C189AD6F2F9B7C7C743 Ref B: BL2AA2030103021 Ref C: 2024-11-26T07:20:48Z
                                                                                                                                                                                                                          Date: Tue, 26 Nov 2024 07:20:48 GMT
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          2024-11-26 07:20:48 UTC3351INData Raw: 7b 22 45 43 53 22 3a 7b 22 43 6f 6e 66 69 67 4c 6f 67 54 61 72 67 65 74 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 63 37 32 65 61 32 38 37 2d 65 64 37 37 2d 34 66 61 36 2d 61 34 38 30 2d 33 37 31 32 34 30 36 63 33 36 37 65 22 3a 22 61 6b 61 2e 6d 73 2f 45 63 73 43 61 6e 61 72 79 22 2c 22 43 61 63 68 65 45 78 70 69 72 79 49 6e 4d 69 6e 22 3a 32 34 30 2c 22 45 6e 61 62 6c 65 53 6d 61 72 74 45 54 61 67 22 3a 31 2c 22 43 6f 6e 66 69 67 49 64 44 65 6c 69 6d 69 74 65 72 49 6e 4c 6f 67 22 3a 22 3b 22 7d 2c 22 4e 61 6e 63 79 4f 66 66 69 63 65 54 65 61 6d 22 3a 7b 22 7a 68 65 74 61 6e 34 31 32 32 30 32 31 22 3a 74 72 75 65 7d 2c 22 4f 66 66 69 63 65 5f 41 63 63 65 73 73 22 3a 7b 22 55 73 65 46 6f 72 6d 54 68 65 6d 65 49 66 4e 6f 50 61 72 65 6e 74 53 65 63 74 69 6f 6e
                                                                                                                                                                                                                          Data Ascii: {"ECS":{"ConfigLogTarget":"default","c72ea287-ed77-4fa6-a480-3712406c367e":"aka.ms/EcsCanary","CacheExpiryInMin":240,"EnableSmartETag":1,"ConfigIdDelimiterInLog":";"},"NancyOfficeTeam":{"zhetan4122021":true},"Office_Access":{"UseFormThemeIfNoParentSection
                                                                                                                                                                                                                          2024-11-26 07:20:48 UTC8192INData Raw: 59 53 76 6f 6a 36 76 72 72 6b 48 4a 6a 35 43 4a 57 45 35 38 2b 4d 38 48 62 62 62 41 4f 78 78 56 75 66 72 38 43 6b 4c 67 4b 6e 37 39 77 70 78 74 6c 6b 42 58 47 7a 73 45 2f 62 7a 61 38 6c 73 77 57 46 42 63 38 49 45 34 42 65 37 63 77 54 34 4f 59 51 48 64 6f 61 46 4a 45 68 78 72 70 76 37 68 54 69 4c 37 41 42 61 4d 75 6f 45 68 77 6f 68 62 4e 31 56 4b 38 51 70 31 61 32 64 4b 75 72 4d 74 34 5a 63 2b 6e 35 4b 44 75 30 76 4f 71 32 68 33 67 37 38 45 78 41 4f 6b 72 54 5a 7a 37 72 66 46 35 4a 51 43 78 4e 76 48 79 2f 42 7a 58 5a 65 50 5a 57 50 77 6e 4f 38 62 6f 30 50 37 30 7a 76 43 53 2b 36 32 56 47 71 2b 73 79 72 52 4a 6d 45 71 44 6a 6a 67 58 61 47 37 73 72 4e 79 41 44 54 4e 64 4f 68 32 62 4f 55 32 57 59 48 34 64 41 34 64 65 78 58 67 68 34 42 64 73 4b 36 62 53 7a 6f
                                                                                                                                                                                                                          Data Ascii: YSvoj6vrrkHJj5CJWE58+M8HbbbAOxxVufr8CkLgKn79wpxtlkBXGzsE/bza8lswWFBc8IE4Be7cwT4OYQHdoaFJEhxrpv7hTiL7ABaMuoEhwohbN1VK8Qp1a2dKurMt4Zc+n5KDu0vOq2h3g78ExAOkrTZz7rfF5JQCxNvHy/BzXZePZWPwnO8bo0P70zvCS+62VGq+syrRJmEqDjjgXaG7srNyADTNdOh2bOU2WYH4dA4dexXgh4BdsK6bSzo
                                                                                                                                                                                                                          2024-11-26 07:20:48 UTC4144INData Raw: 70 43 61 63 68 65 22 3a 74 72 75 65 2c 22 44 65 6c 65 74 65 45 64 69 74 6f 72 45 61 72 6c 79 52 65 74 75 72 6e 4f 6e 52 65 65 6e 74 72 79 22 3a 74 72 75 65 2c 22 53 56 47 4c 6f 61 64 46 72 6f 6d 4c 6f 63 61 6c 46 69 6c 65 73 79 73 74 65 6d 22 3a 74 72 75 65 2c 22 55 73 65 4c 6f 67 69 63 61 6c 44 50 49 46 6f 72 56 65 63 74 6f 72 49 6d 61 67 65 52 65 73 6f 75 72 63 65 22 3a 74 72 75 65 2c 22 49 63 6f 46 69 6c 74 65 72 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 43 68 61 6e 67 65 47 61 74 65 2e 48 69 64 65 52 65 63 6f 72 64 46 6f 72 41 75 74 6f 41 6c 74 54 65 78 74 55 70 64 61 74 65 22 3a 66 61 6c 73 65 2c 22 43 68 61 6e 67 65 47 61 74 65 2e 46 43 61 6d 65 6f 45 72 72 6f 72 48 61 6e 64 6c 69 6e 67 22 3a 66 61 6c 73 65 2c 22 43 68 61 6e 67 65 47 61 74 65 2e
                                                                                                                                                                                                                          Data Ascii: pCache":true,"DeleteEditorEarlyReturnOnReentry":true,"SVGLoadFromLocalFilesystem":true,"UseLogicalDPIForVectorImageResource":true,"IcoFilterEnabled":true,"ChangeGate.HideRecordForAutoAltTextUpdate":false,"ChangeGate.FCameoErrorHandling":false,"ChangeGate.
                                                                                                                                                                                                                          2024-11-26 07:20:48 UTC8192INData Raw: 6d 65 22 3a 74 72 75 65 7d 2c 22 55 73 65 45 6e 74 69 74 6c 65 6d 65 6e 74 50 72 6f 76 69 64 65 72 22 3a 74 72 75 65 2c 22 53 68 6f 75 6c 64 55 73 65 4d 69 63 72 6f 73 6f 66 74 33 36 35 52 65 62 72 61 6e 64 69 6e 67 22 3a 74 72 75 65 2c 22 44 69 6d 65 57 65 62 56 69 65 77 44 69 61 6c 6f 67 2e 48 65 69 67 68 74 22 3a 36 39 32 2c 22 55 73 65 52 4e 46 6f 72 4f 6c 73 54 6f 6b 65 6e 44 69 61 6c 6f 67 22 3a 74 72 75 65 2c 22 44 65 6c 61 79 46 6f 72 47 65 6e 75 69 6e 65 4f 66 66 69 63 65 44 69 61 6c 6f 67 22 3a 32 2c 22 55 73 65 43 61 6e 52 75 6e 46 65 61 74 75 72 65 43 61 63 68 65 55 70 64 61 74 65 22 3a 74 72 75 65 2c 22 47 65 74 47 65 6e 75 69 6e 65 4f 66 66 69 63 65 43 61 6d 70 61 69 67 6e 54 72 65 61 74 6d 65 6e 74 22 3a 37 2c 22 48 61 6e 64 6c 65 50 72 6f
                                                                                                                                                                                                                          Data Ascii: me":true},"UseEntitlementProvider":true,"ShouldUseMicrosoft365Rebranding":true,"DimeWebViewDialog.Height":692,"UseRNForOlsTokenDialog":true,"DelayForGenuineOfficeDialog":2,"UseCanRunFeatureCacheUpdate":true,"GetGenuineOfficeCampaignTreatment":7,"HandlePro
                                                                                                                                                                                                                          2024-11-26 07:20:48 UTC8192INData Raw: 72 31 31 32 35 33 5f 30 22 3a 31 2c 22 72 31 31 32 35 32 5f 30 22 3a 31 2c 22 72 31 31 32 35 31 5f 30 22 3a 31 2c 22 72 31 31 32 35 30 5f 30 22 3a 31 2c 22 72 31 31 32 31 39 5f 30 22 3a 31 2c 22 72 31 31 32 31 38 5f 34 22 3a 31 2c 22 72 31 31 32 31 37 5f 30 22 3a 31 2c 22 72 31 31 32 30 36 5f 32 22 3a 31 2c 22 72 31 31 32 30 35 5f 32 22 3a 31 2c 22 72 31 31 32 30 34 5f 32 22 3a 31 2c 22 72 31 31 32 30 33 5f 32 22 3a 31 2c 22 72 31 31 32 30 32 5f 30 22 3a 31 2c 22 72 31 31 31 38 36 5f 30 22 3a 31 2c 22 72 31 31 31 38 35 5f 30 22 3a 31 2c 22 72 31 31 31 38 34 5f 30 22 3a 31 2c 22 72 31 31 31 38 33 5f 30 22 3a 31 2c 22 72 31 31 31 38 32 5f 30 22 3a 31 2c 22 72 31 31 31 38 31 5f 31 22 3a 31 2c 22 72 31 31 31 38 30 5f 30 22 3a 31 2c 22 72 31 31 31 37 38 5f 30
                                                                                                                                                                                                                          Data Ascii: r11253_0":1,"r11252_0":1,"r11251_0":1,"r11250_0":1,"r11219_0":1,"r11218_4":1,"r11217_0":1,"r11206_2":1,"r11205_2":1,"r11204_2":1,"r11203_2":1,"r11202_0":1,"r11186_0":1,"r11185_0":1,"r11184_0":1,"r11183_0":1,"r11182_0":1,"r11181_1":1,"r11180_0":1,"r11178_0
                                                                                                                                                                                                                          2024-11-26 07:20:48 UTC8192INData Raw: 72 31 31 32 36 36 5f 30 22 3a 31 2c 22 72 31 31 32 36 35 5f 31 22 3a 31 2c 22 72 31 31 32 36 32 5f 30 22 3a 31 2c 22 72 31 31 32 35 36 5f 30 22 3a 31 2c 22 72 31 31 31 37 39 5f 30 22 3a 31 2c 22 72 31 31 31 37 37 5f 30 22 3a 31 2c 22 72 31 31 31 36 37 5f 31 22 3a 31 2c 22 72 31 31 31 34 38 5f 31 22 3a 31 2c 22 72 31 31 30 31 31 5f 30 22 3a 31 2c 22 72 31 31 30 31 30 5f 30 22 3a 31 2c 22 72 31 30 39 39 38 5f 30 22 3a 31 2c 22 72 31 30 39 39 37 5f 30 22 3a 31 2c 22 72 31 30 39 39 36 5f 30 22 3a 31 2c 22 72 31 30 39 38 30 5f 30 22 3a 31 2c 22 72 31 30 39 37 30 5f 31 22 3a 31 2c 22 72 31 30 39 36 34 5f 30 22 3a 31 2c 22 72 31 30 39 36 30 5f 31 22 3a 31 2c 22 72 31 30 39 35 39 5f 30 22 3a 31 2c 22 72 31 30 39 35 38 5f 31 22 3a 31 2c 22 72 31 30 39 34 37 5f 30
                                                                                                                                                                                                                          Data Ascii: r11266_0":1,"r11265_1":1,"r11262_0":1,"r11256_0":1,"r11179_0":1,"r11177_0":1,"r11167_1":1,"r11148_1":1,"r11011_0":1,"r11010_0":1,"r10998_0":1,"r10997_0":1,"r10996_0":1,"r10980_0":1,"r10970_1":1,"r10964_0":1,"r10960_1":1,"r10959_0":1,"r10958_1":1,"r10947_0
                                                                                                                                                                                                                          2024-11-26 07:20:48 UTC8192INData Raw: 6b 4f 70 65 6e 69 6e 67 2e 45 64 67 65 4d 69 6e 69 6d 75 6d 56 65 72 73 69 6f 6e 22 3a 22 30 78 37 31 30 30 30 30 30 36 45 45 30 30 33 39 22 2c 22 4d 33 36 35 42 72 6f 77 73 65 72 4c 69 6e 6b 4f 70 65 6e 69 6e 67 2e 4f 43 49 44 50 61 72 61 6d 53 74 72 69 6e 67 22 3a 22 22 2c 22 4d 33 36 35 42 72 6f 77 73 65 72 4c 69 6e 6b 4f 70 65 6e 69 6e 67 2e 45 6e 61 62 6c 65 41 64 6d 69 6e 50 6f 6c 69 63 79 22 3a 74 72 75 65 2c 22 4d 65 43 6f 6e 74 72 6f 6c 2e 41 70 70 43 75 73 74 6f 6d 4d 6f 64 65 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 4d 65 43 6f 6e 74 72 6f 6c 2e 4d 61 69 6c 62 6f 78 53 77 69 74 63 68 69 6e 67 22 3a 66 61 6c 73 65 2c 22 4d 6f 6e 61 72 63 68 54 6f 67 67 6c 65 2e 43 6f 6e 66 69 67 2e 54 68 69 72 64 50 61 72 74 79 4d 41 50 49 50 72 6f 76 69 64
                                                                                                                                                                                                                          Data Ascii: kOpening.EdgeMinimumVersion":"0x71000006EE0039","M365BrowserLinkOpening.OCIDParamString":"","M365BrowserLinkOpening.EnableAdminPolicy":true,"MeControl.AppCustomModeEnabled":true,"MeControl.MailboxSwitching":false,"MonarchToggle.Config.ThirdPartyMAPIProvid
                                                                                                                                                                                                                          2024-11-26 07:20:49 UTC8192INData Raw: 67 22 3a 32 7d 2c 22 53 68 6f 75 6c 64 55 73 65 4d 69 63 72 6f 73 6f 66 74 33 36 35 42 72 61 6e 64 69 6e 67 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 7d 7d 2c 22 54 65 6e 61 6e 74 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 49 6e 69 74 54 65 6e 61 6e 74 49 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 4e 75 6c 22 3a 7b 22 53 75 62 4e 61 6d 65 73 70 61 63 65 73 22 3a 7b 22 46 65 74 63 68 65 72 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 47 65 74 4e 75 6c 4f 62 6a 65 63 74 46 6f 72 49 64 65 6e 74 69 74 79 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 46 65 74 63 68 4d 6f 64 65 6c 46 72 6f 6d 4f 6c 73 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 47 65 74 4c 69 63 65 6e 73 65 46 65 61 74 75 72
                                                                                                                                                                                                                          Data Ascii: g":2},"ShouldUseMicrosoft365Branding":{"EventFlag":256}}},"Tenant":{"Events":{"InitTenantId":{"EventFlag":2}}},"Nul":{"SubNamespaces":{"Fetcher":{"Events":{"GetNulObjectForIdentity":{"EventFlag":256},"FetchModelFromOls":{"EventFlag":256},"GetLicenseFeatur
                                                                                                                                                                                                                          2024-11-26 07:20:49 UTC8192INData Raw: 6d 70 54 6f 41 75 74 68 6f 72 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 43 6f 61 75 74 68 47 61 6c 6c 65 72 79 55 73 65 72 55 70 64 61 74 65 41 75 74 68 6f 72 4c 6f 63 61 74 69 6f 6e 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 43 6f 61 75 74 68 47 61 6c 6c 65 72 79 55 73 65 72 55 70 64 61 74 65 45 6d 61 69 6c 41 6e 64 43 68 61 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 43 6f 6e 74 61 63 74 43 61 72 64 41 63 74 69 6f 6e 48 75 62 41 63 74 69 6f 6e 53 68 6f 77 43 6f 6e 74 61 63 74 43 61 72 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 43 6f 61 75 74 68 47 61 6c 6c 65 72 79 55 73 65 72 4a 75 6d 70 54 6f 41 75 74 68 6f 72 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d
                                                                                                                                                                                                                          Data Ascii: mpToAuthor":{"EventFlag":512},"CoauthGalleryUserUpdateAuthorLocation":{"EventFlag":512},"CoauthGalleryUserUpdateEmailAndChat":{"EventFlag":512},"ContactCardActionHubActionShowContactCard":{"EventFlag":512},"CoauthGalleryUserJumpToAuthor":{"EventFlag":512}
                                                                                                                                                                                                                          2024-11-26 07:20:49 UTC8192INData Raw: 6e 74 73 22 3a 7b 22 43 6f 6c 6c 61 62 50 61 6e 65 55 73 65 72 53 65 74 43 6f 6c 6c 61 62 50 61 6e 65 4d 6f 64 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 43 6f 6c 6c 61 62 50 61 6e 65 55 73 65 72 43 6c 69 63 6b 53 68 61 72 69 6e 67 4c 69 6e 6b 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 43 6f 6c 6c 61 62 50 61 6e 65 55 73 65 72 49 73 43 75 72 72 65 6e 74 44 6f 63 45 6e 74 65 72 70 72 69 73 65 50 72 6f 74 65 63 74 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 44 6f 63 75 6d 65 6e 74 73 53 68 61 72 65 64 57 69 74 68 4d 65 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 44 6f 63 75 6d 65 6e 74 73 53 68 61 72 65 64 57 69 74 68 4d 65 52 65 71 75 65 73 74 44 6f 63 75 6d 65 6e 74 73 53 68 61 72 65 64 57 69 74 68 4d
                                                                                                                                                                                                                          Data Ascii: nts":{"CollabPaneUserSetCollabPaneMode":{"EventFlag":2},"CollabPaneUserClickSharingLink":{"EventFlag":2},"CollabPaneUserIsCurrentDocEnterpriseProtected":{"EventFlag":2}}},"DocumentsSharedWithMe":{"Events":{"DocumentsSharedWithMeRequestDocumentsSharedWithM


                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                          Start time:02:20:37
                                                                                                                                                                                                                          Start date:26/11/2024
                                                                                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\9oKqST-uPDy7iigkXM-C5J2.eml"
                                                                                                                                                                                                                          Imagebase:0xfe0000
                                                                                                                                                                                                                          File size:34'446'744 bytes
                                                                                                                                                                                                                          MD5 hash:91A5292942864110ED734005B7E005C0
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                          Start time:02:20:45
                                                                                                                                                                                                                          Start date:26/11/2024
                                                                                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "909F8203-86CF-4645-BECD-9B51F3F5FCE2" "C09C1B24-C44F-467A-9AB2-5232C5339FAF" "7364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                                                                                                                                                                                                          Imagebase:0x7ff774f00000
                                                                                                                                                                                                                          File size:710'048 bytes
                                                                                                                                                                                                                          MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                          No disassembly