Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
I RECORDED YOU! (1.97 KB).msg

Overview

General Information

Sample name:I RECORDED YOU! (1.97 KB).msg
Analysis ID:1417540
MD5:256182511dab8545923eb5bf63cb0980
SHA1:6808b0efdd6e36bb137bb7ca6cf14931ae3821b4
SHA256:6617ec557d7431df4f2a9832d223bdcce2678380d88c1de77aa650bac1f058cb
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Tries to load missing DLLs

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 2364 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\I RECORDED YOU! (1.97 KB).msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 5676 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "15FB35E9-0E99-49EC-BEC5-55258A074698" "455748EB-7393-409D-9933-D729DF600100" "2364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.aadrm.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.aadrm.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.cortana.ai
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.diagnostics.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.microsoftstream.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.office.net
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.onedrive.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://api.scheduler.
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://augloop.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://augloop.office.com/v2
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://cdn.entity.
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://clients.config.office.net
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://clients.config.office.net/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://config.edge.skype.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://cortana.ai
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://cortana.ai/api
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://cr.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://d.docs.live.net
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://dev.cortana.ai
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://devnull.onenote.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://directory.services.
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ecs.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://edge.skype.com/rps
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://graph.ppe.windows.net
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://graph.windows.net
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://graph.windows.net/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ic3.teams.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://invites.office.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://lifecycle.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://login.microsoftonline.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://login.microsoftonline.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://login.windows.local
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://make.powerautomate.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://management.azure.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://management.azure.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://messaging.action.office.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://messaging.office.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ncus.contentsync.
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://officeapps.live.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://officepyservice.office.net/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://onedrive.live.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://otelrules.azureedge.net
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://outlook.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://outlook.office.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://outlook.office365.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://outlook.office365.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://powerlift.acompli.net
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://res.cdn.office.net
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://settings.outlook.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://staging.cortana.ai
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://substrate.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://tasks.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://webshell.suite.office.com
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://wus2.contentsync.
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 872094E6-8037-4990-9892-51BCE4E4C60C.1.drString found in binary or memory: https://www.yammer.com
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: classification engineClassification label: clean1.winMSG@3/11@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240329T1528170084-2364.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\I RECORDED YOU! (1.97 KB).msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "15FB35E9-0E99-49EC-BEC5-55258A074698" "455748EB-7393-409D-9933-D729DF600100" "2364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "15FB35E9-0E99-49EC-BEC5-55258A074698" "455748EB-7393-409D-9933-D729DF600100" "2364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1417540 Sample: I RECORDED YOU! (1.97 KB).msg Startdate: 29/03/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 48 97 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
I RECORDED YOU! (1.97 KB).msg0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://otelrules.svc.static.microsoft0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%Avira URL Cloudsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://d.docs.live.net0%Avira URL Cloudsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%VirustotalBrowse
https://d.docs.live.net0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
    		high
    https://login.microsoftonline.com/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
      		high
      https://shell.suite.office.com:1443872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
        		high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
          		high
          https://autodiscover-s.outlook.com/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
            		high
            https://useraudit.o365auditrealtimeingestion.manage.office.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
              		high
              https://outlook.office365.com/connectors872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                		high
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                  		high
                  https://cdn.entity.872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://api.addins.omex.office.net/appinfo/query872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                    		high
                    https://clients.config.office.net/user/v1.0/tenantassociationkey872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                      		high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                        		high
                        https://powerlift.acompli.net872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://lookup.onenote.com/lookup/geolocation/v1872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                          		high
                          https://cortana.ai872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                            		high
                            https://api.powerbi.com/v1.0/myorg/imports872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                              		high
                              https://cloudfiles.onenote.com/upload.aspx872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                		high
                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                  		high
                                  https://entitlement.diagnosticssdf.office.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                    		high
                                    https://api.aadrm.com/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ic3.teams.office.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                      		high
                                      https://www.yammer.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                        		high
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                          		high
                                          https://api.microsoftstream.com/api/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                            		high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                              		high
                                              https://cr.office.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                		high
                                                https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://messagebroker.mobile.m365.svc.cloud.microsoft872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://otelrules.svc.static.microsoft872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://portal.office.com/account/?ref=ClientMeControl872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                  		high
                                                  https://clients.config.office.net/c2r/v1.0/DeltaAdvisory872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                    		high
                                                    https://edge.skype.com/registrar/prod872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                      		high
                                                      https://graph.ppe.windows.net872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                        		high
                                                        https://res.getmicrosoftkey.com/api/redemptionevents872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://powerlift-frontdesk.acompli.net872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://tasks.office.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                          		high
                                                          https://officeci.azurewebsites.net/api/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://sr.outlook.office.net/ws/speech/recognize/assistant/work872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                            		high
                                                            https://api.scheduler.872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://my.microsoftpersonalcontent.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://store.office.cn/addinstemplate872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://api.aadrm.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://edge.skype.com/rps872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                              		high
                                                              https://outlook.office.com/autosuggest/api/v1/init?cvid=872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                		high
                                                                https://globaldisco.crm.dynamics.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                  		high
                                                                  https://messaging.engagement.office.com/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                    		high
                                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                      		high
                                                                      https://dev0-api.acompli.net/autodetect872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.odwebp.svc.ms872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://api.diagnosticssdf.office.com/v2/feedback872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                        		high
                                                                        https://api.powerbi.com/v1.0/myorg/groups872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                          		high
                                                                          https://web.microsoftstream.com/video/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                            		high
                                                                            https://api.addins.store.officeppe.com/addinstemplate872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://graph.windows.net872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                              		high
                                                                              https://dataservice.o365filtering.com/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://officesetup.getmicrosoftkey.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://analysis.windows.net/powerbi/api872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                		high
                                                                                https://prod-global-autodetect.acompli.net/autodetect872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://substrate.office.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                  		high
                                                                                  https://outlook.office365.com/autodiscover/autodiscover.json872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                    		high
                                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                      		high
                                                                                      https://consent.config.office.com/consentcheckin/v1.0/consents872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                        		high
                                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                          		high
                                                                                          https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                            		high
                                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                              		high
                                                                                              https://d.docs.live.net872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                              • 0%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://safelinks.protection.outlook.com/api/GetPolicy872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                		high
                                                                                                https://ncus.contentsync.872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                  		high
                                                                                                  https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                    		high
                                                                                                    http://weather.service.msn.com/data.aspx872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                      		high
                                                                                                      https://apis.live.net/v5.0/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://officepyservice.office.net/service.functionality872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                        		high
                                                                                                        https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                          		high
                                                                                                          https://templatesmetadata.office.net/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                            		high
                                                                                                            https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                              		high
                                                                                                              https://messaging.lifecycle.office.com/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                		high
                                                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                  		high
                                                                                                                  https://pushchannel.1drv.ms872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                    		high
                                                                                                                    https://management.azure.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                      		high
                                                                                                                      https://outlook.office365.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                        		high
                                                                                                                        https://wus2.contentsync.872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://incidents.diagnostics.office.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                          		high
                                                                                                                          https://clients.config.office.net/user/v1.0/ios872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                            		high
                                                                                                                            https://make.powerautomate.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://api.addins.omex.office.net/api/addins/search872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                              		high
                                                                                                                              https://insertmedia.bing.office.net/odc/insertmedia872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                		high
                                                                                                                                https://outlook.office365.com/api/v1.0/me/Activities872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                  		high
                                                                                                                                  https://api.office.net872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                    		high
                                                                                                                                    https://incidents.diagnosticssdf.office.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                      		high
                                                                                                                                      https://asgsmsproxyapi.azurewebsites.net/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://clients.config.office.net/user/v1.0/android/policies872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                        		high
                                                                                                                                        https://entitlement.diagnostics.office.com872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                          		high
                                                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                            		high
                                                                                                                                            https://substrate.office.com/search/api/v2/init872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                              		high
                                                                                                                                              https://outlook.office.com/872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                                		high
                                                                                                                                                https://storage.live.com/clientlogs/uploadlocation872094E6-8037-4990-9892-51BCE4E4C60C.1.drfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  No contacted IP infos

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                  Analysis ID:1417540
                                                                                                                                                  Start date and time:2024-03-29 15:27:25 +01:00
                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 4m 10s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                  Number of analysed new started processes analysed:5
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Sample name:I RECORDED YOU! (1.97 KB).msg
                                                                                                                                                  Detection:CLEAN
                                                                                                                                                  Classification:clean1.winMSG@3/11@0/0
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .msg

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 40.126.62.132, 20.190.190.130, 20.190.190.194, 20.190.190.195, 20.190.190.196, 40.126.62.130, 40.126.62.131, 20.190.190.132, 52.109.28.46, 52.113.194.132, 51.11.192.50, 52.168.117.174
                                                                                                                                                  • Excluded domains from analysis (whitelisted): ecs.office.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, www.tm.v4.a.prd.aadg.trafficmanager.net, s-0005-office.config.skype.com, login.msa.msidentity.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, onedscolprdfrc04.francecentral.cloudapp.azure.com, ocsp.digicert.com, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, onedscolprdeus22.eastus.cloudapp.azure.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, uks-azsc-config.officeapps.live.com
                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  No simulations

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASNs

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):231348
                                                                                                                                                  Entropy (8bit):4.394037650478909
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:PsYLu/gsc0wEGdqYUgs0vNcAz79ysQqt2Qo1QqoQQ5rcm0FvRD/ygS8snZvSoCWD:fygyAygtmiGu2WqoQGrt0Fvk+g90Eh/
                                                                                                                                                  MD5:07A780A3F7E0BC75B6A8A96B5FD2FC28
                                                                                                                                                  SHA1:B0C5E66773428DFF932FF396246CDCBE8E904EA1
                                                                                                                                                  SHA-256:F653DAC56C7C373D9358CD65214FDCF2E7A21DB6FE354AF808425F03CAB144AE
                                                                                                                                                  SHA-512:AEDC329FACEB2BD970724FC6B5DCF4F9EC9B358E5D0B6526CF386890BCB1C02D1729D251833F22E70773E005AC7F8BC3A7B13DC9E4753DB28ECB36215BC70786
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:TH02...... . .FN.......SM01X...,...@.;N...........IPM.Activity...........h...............h............H..h..........Wx...h............H..h\alf ...AppD...h@e..0..........h..l............h........_`4j...hU.l.@...I..v...h....H...8.9j...0....T...............d.........2h...............k..1.......;...!h.............. hHo?...........#h....8.........$h........8....."h..............'h..............1h..l.<.........0h....4....9j../h....h.....9jH..h....p.........-h .......<.....+h..l......................... ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\872094E6-8037-4990-9892-51BCE4E4C60C

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):165923
                                                                                                                                                  Entropy (8bit):5.3412396693592505
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:l+C7FPgOuB3U9guwwJQ9DQA+zezhQik4F77nXmvYd8XRTEwreOR6g:CIQ9DQA+zezyXeMJ
                                                                                                                                                  MD5:334B215135A633FF791619BEDF2448B6
                                                                                                                                                  SHA1:37DBEFE75F2C1F02039969C8581CF19D826C49A1
                                                                                                                                                  SHA-256:0F27C7E58C2C9C754544BC046468C413B5AF04AB9B8C175310E302A8549AC45B
                                                                                                                                                  SHA-512:2260ADFA07E68A857985B17B0D434467A4F297C26454D04EA0E0CE66232A8530CE1ED72B1712574800ADDD1755F0F8C9B41FB70BA5C58AE812A89B03362BA6DB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-03-29T14:28:20">.. Build: 16.0.17524.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):32768
                                                                                                                                                  Entropy (8bit):0.04604146709717531
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:GtlxtjlztrP2GOy/kttlxtjlztrP2GOy/Ll9R9//8l1lvlll1lllwlvlllglbelL:GtJrPJOEkttJrPJOE59X01PH4l942wU
                                                                                                                                                  MD5:CC8DAAB5277D9F6892D8D76D3ED01A3E
                                                                                                                                                  SHA1:51F0659F20912B5486B0AA0F9BE3415ECD79B309
                                                                                                                                                  SHA-256:6C25F49624C444002114346DB0A663CE84588CE09166148BEC9FE064FFE3C4F2
                                                                                                                                                  SHA-512:5AEDEBF0D81362E13F6D4170CE83B8626047BF4CA0A9BC9CA480A9C4A905A02CD630FCF22AE5AED5628340F75B366AD18A3F8287200471543CF763F1898F1502
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:..-.....................Aw.n.*..a..Y.h.rD.G.c.z$..-.....................Aw.n.*..a..Y.h.rD.G.c.z$........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):49472
                                                                                                                                                  Entropy (8bit):0.48290074704211816
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:QhHFQ1KcUll7DYMFg0zO8VFDYMeXTBO8VFDYML:xCll4sxjVGLdjVGC
                                                                                                                                                  MD5:18D3C68D020B8DDB5235BE5F4A849149
                                                                                                                                                  SHA1:1FD95F290AF44533844455B523EDEAC0415D2816
                                                                                                                                                  SHA-256:2914555365AAE59B319F78A815F65B0414E5193EE8D151D0CA04C85D8FEF799D
                                                                                                                                                  SHA-512:C77A88F6516F1BB230D4278E0433E66FB59DAF0AD329310FE231D40572631FA01298B80DFCB30D2EDECEC84EB7F38AB6605F033B7CBC08B7EFD590571CA6805E
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:7....-..........a..Y.h.r...tY.9.........a..Y.h.rz.$j.!K.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1711722497314661700_9284350D-269B-484B-A271-67421A978F8E.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:ASCII text, with very long lines (28757), with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):20971520
                                                                                                                                                  Entropy (8bit):0.15904614519507423
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:GBVUHkatTauAB3IS+mBp7Cd2ZSxrFj1k2sN8EQBzObXP8P:JkotABYqglgBEP
                                                                                                                                                  MD5:1D188414E40415BC6A3CB023EFC9698B
                                                                                                                                                  SHA1:982B546D800C8BC6E01E0DB254140B3BFCD31C6E
                                                                                                                                                  SHA-256:C65F4340F9AF24B2438F14904A60E33416CF8AD144D3EA9608DC6ECC624E624B
                                                                                                                                                  SHA-512:81F4F6F905E8340C7877E0B5BDC3660EF70F3BD993124A29FFF0C7ABF2D221FC512BD451AEDFA63F7891857C437E132B8FF730510071F8D21DBAA54339FBB448
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..03/29/2024 14:28:17.350.OUTLOOK (0x93C).0x1034.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-03-29T14:28:17.350Z","Contract":"Office.System.Activity","Activity.CV":"DTWEkpsmS0iicWdCGpePjg.4.9","Activity.Duration":13,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...03/29/2024 14:28:17.365.OUTLOOK (0x93C).0x1034.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-03-29T14:28:17.365Z","Contract":"Office.System.Activity","Activity.CV":"DTWEkpsmS0iicWdCGpePjg.4.10","Activity.Duration":10560,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1711722497316465600_9284350D-269B-484B-A271-67421A978F8E.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):20971520
                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3::
                                                                                                                                                  MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                  SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                  SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                  SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240329T1528170084-2364.etl

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):94208
                                                                                                                                                  Entropy (8bit):4.489776891328172
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:rU+q4BrQjev/8k4Qei89PHwqBXtV+nrHKPHOBa0KfTW0nsvuhn4M0JaLcWTWu1WX:v4089PH7XYR42
                                                                                                                                                  MD5:3373577C15641751219123A2FC24A9C9
                                                                                                                                                  SHA1:0F89F21FA76EC33EC217D135E0CEB5F18BAEE43E
                                                                                                                                                  SHA-256:BCC514ED35648598A150AB67D2DEB4839AB79695D98D1A6680B7E083879F5A3D
                                                                                                                                                  SHA-512:C036EDCAEEE9D00C3361B5278AD42611F5E754AE425B8D8F7BBCD8DCE4C320C0E9AFF7CA828F27ADF86537C8416148529BA4DC346BAB06FA529D200C8C427EC6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:............................................................................b...4...<.....+W...................eJ..............Zb..2.......................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1...........................................................p.)..............+W...........v.2._.O.U.T.L.O.O.K.:.9.3.c.:.8.5.c.6.1.d.e.a.4.e.7.4.4.0.1.e.b.2.4.5.5.7.3.3.b.c.c.a.5.7.d.f...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.3.2.9.T.1.5.2.8.1.7.0.0.8.4.-.2.3.6.4...e.t.l.............P.P.4...<...5Y.W...................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\~DFA886969AB5965050.TMP

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):163840
                                                                                                                                                  Entropy (8bit):0.32866108840431163
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:73nfXpgJKMtFaN7TcGeO2Xx8yNgz0XHWQOAIAbAFAqwNh/:Fg0XMO2KFz0XHOAIMu
                                                                                                                                                  MD5:E21F3B2E281ACB37385121622C5AE722
                                                                                                                                                  SHA1:D0AA90D3C2DC2C1D90FDC212070CA37D7B6DF447
                                                                                                                                                  SHA-256:ED18E565C72C7C8B045BA89C78B2E6BBBE8D084B237838E50B6966A9E2E7D062
                                                                                                                                                  SHA-512:E3EC246E256F550BA2D918A2D4FF7BF45CE9D29A4290B831B8B7DBC9FA17860C22FA5B5463F7B309D9810F1360A475E24EF3C9E8406056CC0DB2E5F80801A7DE
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):30
                                                                                                                                                  Entropy (8bit):1.2389205950315936
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:S6lj:S6
                                                                                                                                                  MD5:26BE7127E4BADDB9CD898D73BD15C437
                                                                                                                                                  SHA1:2F5C4A8B93680B849E7131B8B51C10A7E829A26C
                                                                                                                                                  SHA-256:CB7A2DF4160E7D7C3CBD8FC977E1F0F9AD9BA4DDB8BC86B4A1F620373DE63598
                                                                                                                                                  SHA-512:38ED7ED18DBCD903CD1BFC6CB985D7F33320DACAE2946994A5F490CA4F7796C8DAED303C1035991403640B6399B326B3358F4F1277FF7E79564DAFCED3F36A03
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:....e&........................

                                                                                                                                                  C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:Microsoft Outlook email folder (>=2003)
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):271360
                                                                                                                                                  Entropy (8bit):1.2171842172289684
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:iFeQcmp2ewtQlBrcWPFhBrGbKtiKZgTIt+Lt4KwZz+L3:ApHA4j8sBt20z
                                                                                                                                                  MD5:048F27462653B4ABA62DF2BC708C7EE6
                                                                                                                                                  SHA1:6668CCA4FDB46F05B4420F891639CA94CA4EE3C3
                                                                                                                                                  SHA-256:6C01401399BCFA83ABCA8D787096A7167E23EFEF945AAC034296319BA8DDBE31
                                                                                                                                                  SHA-512:A5C44D3B4A5D4C9C880C7A7250EC827BD47F892607D4A38D7E3429482F5CAB610C9BA243D8708EFF776387DD3741FC122A8F7D340B9B965C6A835A90FF3B2261
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:!BDN..CGSM......\....$..................R................@...........@...@...................................@...........................................................................$.......D.......\..................................................................................................................................................................................................................................................................................................................................`O.|........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):131072
                                                                                                                                                  Entropy (8bit):1.0280984399648605
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:iYjTItCwKNLGscMd4715VtCExHQblApmCwKNLK033rkPms+:iUTIt+LbRWHgIwZz+L3wD
                                                                                                                                                  MD5:6C6345075BC212DCE1E69B8C5383ED26
                                                                                                                                                  SHA1:749CB880B60E3DBC3F256D4FD9AC09ED81570F08
                                                                                                                                                  SHA-256:7030F63A248AC8120490DAE8FEB3322947BB4DF58BB59EA4575BDA74E7DFB444
                                                                                                                                                  SHA-512:A391EF27075DE10B6F9D0DF33309CEEC05E44B12A743CA98FBB64D52FABA9D5589D61B5E27EB39813ED8C2554FF1C784109D38D049AB4DF795682140F0293A3B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:....C...U.......<......V.....................#.!BDN..CGSM......\....$..................R................@...........@...@...................................@...........................................................................$.......D.......\..................................................................................................................................................................................................................................................................................................................................`O.|.......V........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:CDFV2 Microsoft Outlook Message
                                                                                                                                                  Entropy (8bit):3.3283208756097675
                                                                                                                                                  TrID:
                                                                                                                                                  • Outlook Message (71009/1) 58.92%
                                                                                                                                                  • Outlook Form Template (41509/1) 34.44%
                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                                                                                                                                                  File name:I RECORDED YOU! (1.97 KB).msg
                                                                                                                                                  File size:8'704 bytes
                                                                                                                                                  MD5:256182511dab8545923eb5bf63cb0980
                                                                                                                                                  SHA1:6808b0efdd6e36bb137bb7ca6cf14931ae3821b4
                                                                                                                                                  SHA256:6617ec557d7431df4f2a9832d223bdcce2678380d88c1de77aa650bac1f058cb
                                                                                                                                                  SHA512:7c0fdf4a4d3c145d164b6b286b4a8dc6c6319566a3d09821109274f83a439b1a5ca7667297d0c4522e129edcee787b8aecd2d375e829b7f3aeaf1792220b1434
                                                                                                                                                  SSDEEP:96:ng8c7mQxvjlnMmnETj8sUUePRiAU1Iv1ky9XmCgGmuZdh:gNmQ91Mmoj8KePRZx1h9XKxuZd
                                                                                                                                                  TLSH:0B02762438DA510EF1BBDF702DD894E7CA5ABDA3BE05912B2081334F1B71A44ED9163C
                                                                                                                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                  Static Mail

                                                                                                                                                  General

                                                                                                                                                  Subject:
                                                                                                                                                  From:
                                                                                                                                                  To:
                                                                                                                                                  Cc:
                                                                                                                                                  BCC:
                                                                                                                                                  Date:
                                                                                                                                                  Communications:
                                                                                                                                                    Attachments:

                                                                                                                                                      Headers

                                                                                                                                                      Key Value
                                                                                                                                                      datePCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEgVHJhbnNpdGlvbmFs

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:c4e1928eacb280a2

                                                                                                                                                      Network Behavior

                                                                                                                                                      No network behavior found

                                                                                                                                                      Statistics

                                                                                                                                                      CPU Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      Memory Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      General

                                                                                                                                                      Target ID:1
                                                                                                                                                      Start time:15:28:16
                                                                                                                                                      Start date:29/03/2024
                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\I RECORDED YOU! (1.97 KB).msg"
                                                                                                                                                      Imagebase:0x640000
                                                                                                                                                      File size:34'446'744 bytes
                                                                                                                                                      MD5 hash:91A5292942864110ED734005B7E005C0
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate
                                                                                                                                                      Has exited:false

                                                                                                                                                      General

                                                                                                                                                      Target ID:2
                                                                                                                                                      Start time:15:28:18
                                                                                                                                                      Start date:29/03/2024
                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "15FB35E9-0E99-49EC-BEC5-55258A074698" "455748EB-7393-409D-9933-D729DF600100" "2364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                                                                                                                                      Imagebase:0x7ff7c68f0000
                                                                                                                                                      File size:710'048 bytes
                                                                                                                                                      MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate
                                                                                                                                                      Has exited:false

                                                                                                                                                      Disassembly

                                                                                                                                                      No disassembly