Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Fw_.eml

Overview

General Information

Sample name:Fw_.eml
Analysis ID:1428261
MD5:afb6e85678612b52a92789309253a64a
SHA1:b4ad5b376487f123de43468f14081d9c8208adb3
SHA256:a71004161c6e3b993222adcec3ce9bfc5b95eb64ec873ddc614a72d43eff5441
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7564 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Fw_.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7708 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "77663507-5279-4BB0-8C02-6DE0FF5253CA" "12FC05C9-D86E-48A7-9888-D2FE2841325E" "7564" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7564, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.aadrm.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.aadrm.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.cortana.ai
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.office.net
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.onedrive.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://api.scheduler.
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://augloop.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://cdn.entity.
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://clients.config.office.net
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://clients.config.office.net/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://config.edge.skype.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://cortana.ai
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://cortana.ai/api
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://cr.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://d.docs.live.net
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://dev.cortana.ai
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://devnull.onenote.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://directory.services.
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ecs.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://graph.windows.net
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://graph.windows.net/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://invites.office.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://lifecycle.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://login.windows.local
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://make.powerautomate.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://management.azure.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://management.azure.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://messaging.office.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ncus.contentsync.
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://officeapps.live.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://onedrive.live.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://outlook.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://outlook.office.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://outlook.office365.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://outlook.office365.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://res.cdn.office.net
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://settings.outlook.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://staging.cortana.ai
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://substrate.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://tasks.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://wus2.contentsync.
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/15@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240418T1835200265-7564.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Fw_.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "77663507-5279-4BB0-8C02-6DE0FF5253CA" "12FC05C9-D86E-48A7-9888-D2FE2841325E" "7564" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "77663507-5279-4BB0-8C02-6DE0FF5253CA" "12FC05C9-D86E-48A7-9888-D2FE2841325E" "7564" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428261 Sample: Fw_.eml Startdate: 18/04/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 65 124 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://otelrules.svc.static.microsoft0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
    		high
    https://login.microsoftonline.com/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
      		high
      https://shell.suite.office.com:144382CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
        		high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
          		high
          https://autodiscover-s.outlook.com/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
            		high
            https://useraudit.o365auditrealtimeingestion.manage.office.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
              		high
              https://outlook.office365.com/connectors82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                		high
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                  		high
                  https://cdn.entity.82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.addins.omex.office.net/appinfo/query82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                    		high
                    https://clients.config.office.net/user/v1.0/tenantassociationkey82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                      		high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                        		high
                        https://powerlift.acompli.net82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://lookup.onenote.com/lookup/geolocation/v182CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                          		high
                          https://cortana.ai82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                            		high
                            https://api.powerbi.com/v1.0/myorg/imports82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                              		high
                              https://cloudfiles.onenote.com/upload.aspx82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                		high
                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                  		high
                                  https://entitlement.diagnosticssdf.office.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                    		high
                                    https://api.aadrm.com/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ic3.teams.office.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                      		high
                                      https://www.yammer.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                        		high
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                          		high
                                          https://api.microsoftstream.com/api/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                            		high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                              		high
                                              https://cr.office.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                		high
                                                https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                  		low
                                                  https://messagebroker.mobile.m365.svc.cloud.microsoft82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://otelrules.svc.static.microsoft82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://portal.office.com/account/?ref=ClientMeControl82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                    		high
                                                    https://clients.config.office.net/c2r/v1.0/DeltaAdvisory82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                      		high
                                                      https://edge.skype.com/registrar/prod82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                        		high
                                                        https://graph.ppe.windows.net82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                          		high
                                                          https://res.getmicrosoftkey.com/api/redemptionevents82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://powerlift-frontdesk.acompli.net82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://tasks.office.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                            		high
                                                            https://officeci.azurewebsites.net/api/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://sr.outlook.office.net/ws/speech/recognize/assistant/work82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                              		high
                                                              https://api.scheduler.82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://my.microsoftpersonalcontent.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://store.office.cn/addinstemplate82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://api.aadrm.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://edge.skype.com/rps82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                		high
                                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                  		high
                                                                  https://globaldisco.crm.dynamics.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                    		high
                                                                    https://messaging.engagement.office.com/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                      		high
                                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                        		high
                                                                        https://dev0-api.acompli.net/autodetect82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://www.odwebp.svc.ms82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://api.diagnosticssdf.office.com/v2/feedback82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                          		high
                                                                          https://api.powerbi.com/v1.0/myorg/groups82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                            		high
                                                                            https://web.microsoftstream.com/video/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                              		high
                                                                              https://api.addins.store.officeppe.com/addinstemplate82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://graph.windows.net82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                		high
                                                                                https://dataservice.o365filtering.com/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://officesetup.getmicrosoftkey.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://analysis.windows.net/powerbi/api82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                  		high
                                                                                  https://prod-global-autodetect.acompli.net/autodetect82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://substrate.office.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                    		high
                                                                                    https://outlook.office365.com/autodiscover/autodiscover.json82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                      		high
                                                                                      https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                        		high
                                                                                        https://consent.config.office.com/consentcheckin/v1.0/consents82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                          		high
                                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                            		high
                                                                                            https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                              		high
                                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                		high
                                                                                                https://d.docs.live.net82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                  		unknown
                                                                                                  https://safelinks.protection.outlook.com/api/GetPolicy82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                    		high
                                                                                                    https://ncus.contentsync.82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                      		high
                                                                                                      https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                        		high
                                                                                                        http://weather.service.msn.com/data.aspx82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                          		high
                                                                                                          https://apis.live.net/v5.0/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://officepyservice.office.net/service.functionality82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                            		high
                                                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                              		high
                                                                                                              https://templatesmetadata.office.net/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                		high
                                                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                  		high
                                                                                                                  https://messaging.lifecycle.office.com/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                    		high
                                                                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                      		high
                                                                                                                      https://pushchannel.1drv.ms82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                        		high
                                                                                                                        https://management.azure.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                          		high
                                                                                                                          https://outlook.office365.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                            		high
                                                                                                                            https://wus2.contentsync.82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://incidents.diagnostics.office.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                              		high
                                                                                                                              https://clients.config.office.net/user/v1.0/ios82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                		high
                                                                                                                                https://make.powerautomate.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://api.addins.omex.office.net/api/addins/search82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://insertmedia.bing.office.net/odc/insertmedia82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://outlook.office365.com/api/v1.0/me/Activities82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://api.office.net82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://incidents.diagnosticssdf.office.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://asgsmsproxyapi.azurewebsites.net/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/android/policies82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://entitlement.diagnostics.office.com82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://substrate.office.com/search/api/v2/init82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://outlook.office.com/82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://storage.live.com/clientlogs/uploadlocation82CF9A93-11CF-439A-B6AD-44EF915C383D.0.drfalse
                                                                                                                                                      		high

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      No contacted IP infos

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                      Analysis ID:1428261
                                                                                                                                                      Start date and time:2024-04-18 18:34:29 +02:00
                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 4m 14s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:full
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                      Number of analysed new started processes analysed:10
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Sample name:Fw_.eml
                                                                                                                                                      Detection:CLEAN
                                                                                                                                                      Classification:clean1.winEML@3/15@0/0
                                                                                                                                                      EGA Information:Failed
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Found application associated with file extension: .eml

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, MoUsoCoreWorker.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 52.109.56.128, 23.34.82.8, 23.34.82.10, 52.113.194.132, 20.42.73.28
                                                                                                                                                      • Excluded domains from analysis (whitelisted): omex.cdn.office.net, ecs.office.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, s-0005-office.config.skype.com, asia.configsvc1.live.com.akadns.net, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, inc-azsc-config.officeapps.live.com, onedscolprdeus15.eastus.cloudapp.azure.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, mobile.events.data.trafficmanager.net, a1864.dscd.akamai.net
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • VT rate limit hit for: Fw_.eml

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      No simulations

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      No context

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASNs

                                                                                                                                                      No context

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):231348
                                                                                                                                                      Entropy (8bit):4.392218113555133
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3072:MkgBWxS9gFmiGu20qoQart0Fv9BKT5nu3CUth2Lbpv+ZmaGq1:MUTmi2xnKT5n2f
                                                                                                                                                      MD5:68EEF97FB306B7E2F592820755F3BBEE
                                                                                                                                                      SHA1:A5158C88E99A2074B2086E8B3100D74434A596EA
                                                                                                                                                      SHA-256:346CEC19362DEA2437D63BC2DE1BEB28FB3BE980A3E4E147AC6256A8E5E94C6A
                                                                                                                                                      SHA-512:69C636E4C5C244F973927A18DBB42812365C5EF62E546F2B5D448D01858580DA5661FA6FA6CEB46886DD0FCC1D219E8176E7E65959AA489556D9DC1391671337
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:TH02...... .@~)`........SM01X...,...`..`............IPM.Activity...........h...............h............H..hD..............h........@...H..h\jon ...ppDa...h....0..........h...a...........h........_`&j...hZ..a@...I..v...h....H...8.+j...0....T...............d.........2h...............kO.f.....c.e...!h.............. h...<..........#h....8.........$h@.......8....."hx.......(.....'h..............1h...a<.........0h....4....+j../h....h.....+jH..hp+..p...D.....-h ...........+h...a....8................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):322260
                                                                                                                                                      Entropy (8bit):4.000299760592446
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
                                                                                                                                                      MD5:CC90D669144261B198DEAD45AA266572
                                                                                                                                                      SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
                                                                                                                                                      SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
                                                                                                                                                      SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):10
                                                                                                                                                      Entropy (8bit):2.6464393446710153
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:L+E:SE
                                                                                                                                                      MD5:64B5958CD7CB18F8C9E49A3409A853B0
                                                                                                                                                      SHA1:5B7D00A7FA080A52205B063F0F37FE430E5F10F7
                                                                                                                                                      SHA-256:613AC835DC3C70CDA4BDE31B22D6D635890F9625C67E8F947EBE3BE8B06B7F68
                                                                                                                                                      SHA-512:9B2C5B30F1895891B8AC564AC5EC3CF037A6977CD504B574EA49CAC89EFAE7767FEEB58650E887A6DBEED340771D41A5E5E35B65ADDC7D364B1FDEE4EA2A2117
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:1713458124

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\82CF9A93-11CF-439A-B6AD-44EF915C383D

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):166203
                                                                                                                                                      Entropy (8bit):5.340909347734608
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:d+C7FPgOsB3U9guwwJQ9DQA+zqzhQik4F77nXmvYd8XRTEwreOR6g:0IQ9DQA+zqzMXeMJ
                                                                                                                                                      MD5:04E42EC1DA1364ABE8FD9261B78B14BB
                                                                                                                                                      SHA1:4B7A4B5767CF451D63C8D30E30AF383CA17FE24B
                                                                                                                                                      SHA-256:67044B407778AECC74BB71F5E6A9C19A4416FCBE0555FA3BB53956098BD2EAF4
                                                                                                                                                      SHA-512:B873AFBFACC6D91E708009D1ADCA689382C13398AA38833A51672DD1A9B8B3478E8306F186FDD90ED20AFBD29029ED30D992DFD05E3D9013B13D21A547364997
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-04-18T16:35:22">.. Build: 16.0.17607.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4096
                                                                                                                                                      Entropy (8bit):0.09304735440217722
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
                                                                                                                                                      MD5:D0DE7DB24F7B0C0FE636B34E253F1562
                                                                                                                                                      SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
                                                                                                                                                      SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
                                                                                                                                                      SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:SQLite Rollback Journal
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4616
                                                                                                                                                      Entropy (8bit):0.13784977103055013
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:7FEG2l+UA+9/FllkpMRgSWbNFl/sl+ltlslN04l9XllUA:7+/l9Bvg9bNFlEs1E398A
                                                                                                                                                      MD5:6F42A59505E7D6B87719E07383D87891
                                                                                                                                                      SHA1:8B35EFE8703C27E70D17019BB32747FA461AB56C
                                                                                                                                                      SHA-256:50BB86E41EB8824D52AB2FA26D7B7F6058D196F0C5329A5F8A7B996F44D08157
                                                                                                                                                      SHA-512:F432E44BD538F87AE9AB69BD73649C04930D053EA5ADAF3DC27811A61E9110EF990DA99F87DDB84C5BD94AE3B63ADA583C4E4C28A39AFBF5930488E13DE7244A
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:.... .c.....4.F.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):32768
                                                                                                                                                      Entropy (8bit):0.04449219512670338
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:G4l29UIK5mIznl29UIK5mIz18lL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l29UIK5jl29UIK5uL9XXPH4l942U
                                                                                                                                                      MD5:22E7980B346B1308E197C430C589861E
                                                                                                                                                      SHA1:A2A77E33BFEBDDE9A708F58F054F04A28EC300EB
                                                                                                                                                      SHA-256:EB29CFB5DAF1BC4D1DC1B479BF3FA195B8A174EF4763737028EDB3FF554073FF
                                                                                                                                                      SHA-512:15C51D0173B3277052B8152EC71289555048B4FFDFC4CC1709F9ADBF7521BD8478A0845B840F9038F97EA697094F022D8EDB17F68D59572A252627ACD44EBE74
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:..-.....................~.. ...|X.;...=..9.H..m...-.....................~.. ...|X.;...=..9.H..m.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):45352
                                                                                                                                                      Entropy (8bit):0.3944522773051417
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:5d4/pQjYSmZhill7DYMYsoNXxO8VFDYMY0yu:5dgaUSmZkll47dNhjVG70y
                                                                                                                                                      MD5:AF3C4B1B992E10284B9146788B9AC7C1
                                                                                                                                                      SHA1:73295F2C8D8C5090ABCC00C80E0BC33004CEF2AD
                                                                                                                                                      SHA-256:CB33C595C8F24A1B949668AE2EF3F40E005EB37C475777F1ADB657C1BAE7DA35
                                                                                                                                                      SHA-512:D8F849E8E393A4288C98989994B6CB9E2EB282B69C1BCD494CE3EDD6EBD1FDE7F02786F414847F81D2F6D56C97BAC111313771FCCA8DEB2ACBD7B94A0392D8DC
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:7....-..........X.;...=..".kmG..........X.;...=.b'.}.3.SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713458120482854400_85F90FF4-5ECD-44B9-B7EF-D82DCE827659.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:ASCII text, with very long lines (28736), with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):20971520
                                                                                                                                                      Entropy (8bit):0.15957332553095377
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:yomvc79YuUTggO9ZJ6qLOAFEaB9g1H5y88jueKb+gAM7oBo:7RYH9O9b6qLd4ly
                                                                                                                                                      MD5:AD40EFBF8D161F9607857A578AFD5C01
                                                                                                                                                      SHA1:F392CD0C11BA7DD88C5AAC511CCD3E45B7335151
                                                                                                                                                      SHA-256:DD6032A247B27371367A84ACFC6EC0ECF56EDFC30186B4DE3ED434A8CD196EA8
                                                                                                                                                      SHA-512:0CC7D311E43BC225036A363619950EEFD90E56C14B3E4FAB1B6D75B5104375C3E9DB27D754E738AB390587D6D254BF496581603CEFD6CEFB0FF901E4F43FEC35
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..04/18/2024 16:35:20.576.OUTLOOK (0x1D8C).0x1D90.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-04-18T16:35:20.576Z","Contract":"Office.System.Activity","Activity.CV":"9A/5hc1euUS379gtzoJ2WQ.4.9","Activity.Duration":17,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...04/18/2024 16:35:20.592.OUTLOOK (0x1D8C).0x1D90.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-04-18T16:35:20.592Z","Contract":"Office.System.Activity","Activity.CV":"9A/5hc1euUS379gtzoJ2WQ.4.10","Activity.Duration":11875,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713458120483672200_85F90FF4-5ECD-44B9-B7EF-D82DCE827659.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):20971520
                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3::
                                                                                                                                                      MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                      SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                      SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                      SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240418T1835200265-7564.etl

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):102400
                                                                                                                                                      Entropy (8bit):4.503031266051441
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:768:sI0HrfmPwuDmt42a6+VMC9qzcEPoeGoTXFmevzlZuLUiE0TpvsKiWFWkW2Woj:04OsMC9qzYeGoTX2rj
                                                                                                                                                      MD5:58CAED96EF36921307282EDDA4940172
                                                                                                                                                      SHA1:33B3AB2B6E210CD9A926B56499C4928C2BF6F698
                                                                                                                                                      SHA-256:82F37419626CAAAAF18AFA7DA128A5316F364B58130A679D0F3A29614A55292A
                                                                                                                                                      SHA-512:69B78FFE19245663F2BBAC92EB70298B2F4C86B30D33924CF952E84086302B8E183E5CC3B6D998B05B9A05EBD48D0605CDC413E0412D5828F99C873ABBBDCC43
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:............................................................................b.............4g....................eJ..............Zb..2.......................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1.............................................................^...............4g............v.2._.O.U.T.L.O.O.K.:.1.d.8.c.:.d.2.6.5.2.a.0.e.d.9.d.1.4.4.e.5.8.2.2.4.5.a.e.5.8.0.7.b.2.0.8.6...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.4.1.8.T.1.8.3.5.2.0.0.2.6.5.-.7.5.6.4...e.t.l.............P.P...........4g....................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):30
                                                                                                                                                      Entropy (8bit):1.2389205950315936
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:rXhlX:
                                                                                                                                                      MD5:ADBB52067D14E67A49D0BA69EDD6A192
                                                                                                                                                      SHA1:131E0BB9F596A404E3A6A3D031A80746C1A284EE
                                                                                                                                                      SHA-256:807E97E49F972AAA057EDD6E86C9BEA6262E4A524CB30B81F9A7101F009D039B
                                                                                                                                                      SHA-512:3128DC80EEF7C0B9CD982A2C429CB8AE59F52913A8F54E43B2C9B5288A3DC9A08FD0B206000E1940CA5D20B78DFE0628516665DFDEA0B7B55052443B992E4666
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:.............................

                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):16384
                                                                                                                                                      Entropy (8bit):0.6702073915038125
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:rl3baFYlsqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCJ:rvmnq1Py961J
                                                                                                                                                      MD5:078B6EF1902C00A2BDEBC3A87769D5F8
                                                                                                                                                      SHA1:2A4B717C3EA1108B6E2DF9C01E061327B1C6C3A1
                                                                                                                                                      SHA-256:FE3A2598B8E1D10446B65D8B95E131283BFCAB8D814D350C5E6AD90876A141CE
                                                                                                                                                      SHA-512:DE567EF3D5CD4EDE57504EA1060E40D023C31AB9C299009109CAC995A44EA0D083B5F8D8784E1020850D739F4530895ED4BCD607835FBA879A6CD97CC513ADA8
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:Microsoft Outlook email folder (>=2003)
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):271360
                                                                                                                                                      Entropy (8bit):2.2558359138499817
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:j63TbhSEsn5WqXeT6ELwD2lnfKEGeFtEfW53jEpEHP4qQ10PAwr7+03W53jEpEHl:ShHLQ2lnByp9wBZp9
                                                                                                                                                      MD5:3D006425C387C3C3960BD8B15D0E7192
                                                                                                                                                      SHA1:05715AAF192570DFB9780328FECA06330943E2AE
                                                                                                                                                      SHA-256:BF9DA734654C35F17954AB3692AB18BA0F212005779B5F82AE5B4EC48B59A8F0
                                                                                                                                                      SHA-512:EE75526D19EF28305D5AA775BB16821FD9A976BDBF15B753BB434DAB1F07B7CAB99C48CCC9DD840DA4E6E9F9631AD9CD7FD8FC235E6119A624D3B74CE857509D
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:!BDNd[..SM......\.......................]................@...........@...@...................................@...........................................................................$.......D.............................................................................................................................................................................................................................................................................................................................................$@......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):131072
                                                                                                                                                      Entropy (8bit):1.6325009409251063
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:MW53jEpEHP4qQ10PAwr1R0AcyWa3sGJyT:Op9l8Xg
                                                                                                                                                      MD5:C575FBB323C7866FB75F858C2B19C8C3
                                                                                                                                                      SHA1:E2DC88F004878D6924AE104AAD603DDB49B4231C
                                                                                                                                                      SHA-256:6406BB8DD99F0AB46CAF7F5BB9EEE9558DC089AA3167BBAD9E484EB67A18D655
                                                                                                                                                      SHA-512:226E535FE96A920857BF7B7E8965FE71FE40DC88DB61871FB3EAD384854D791BBFC465E6D3D8EEDC4BB9F8BE796C0497D0AF12096390DAD82DDFD1C6DE526441
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:...C...]..............g......................#.!BDNd[..SM......\.......................]................@...........@...@...................................@...........................................................................$.......D.............................................................................................................................................................................................................................................................................................................................................$@.....g......................#..................................................................................................................."............................................................................H......................"......................."......-............................................................./.......|......................B.......(..............."......M.......

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:RFC 822 mail, ASCII text, with CRLF line terminators
                                                                                                                                                      Entropy (8bit):5.09710656626207
                                                                                                                                                      TrID:
                                                                                                                                                      • E-Mail message (Var. 5) (54515/1) 100.00%
                                                                                                                                                      File name:Fw_.eml
                                                                                                                                                      File size:8'813 bytes
                                                                                                                                                      MD5:afb6e85678612b52a92789309253a64a
                                                                                                                                                      SHA1:b4ad5b376487f123de43468f14081d9c8208adb3
                                                                                                                                                      SHA256:a71004161c6e3b993222adcec3ce9bfc5b95eb64ec873ddc614a72d43eff5441
                                                                                                                                                      SHA512:db6c0ad803ddbc9e56277b4061417754e8e05a18e2043904aeee9f9de401cf385434dcfa2571b3e55bd57bd594895494c3540d663c62013c023bb59d9125ab6f
                                                                                                                                                      SSDEEP:192:8g6iWB03tyfuaZuzY2lFRnMrJNetnvbL8DugOLZps0Iw19+qAsCcuNAt:Zf02NzY2tnaelvH8SgO/s0ISRAJAt
                                                                                                                                                      TLSH:9B02CAE4D94F0A9353A3B38C6DA3EC82F5848059E149D6B2B855422B21CC7E4C97F5DF
                                                                                                                                                      File Content Preview:Received: from hercules.tuhosting.cl...by hercules.tuhosting.cl with LMTP...id CBaGFR/6H2aiADEA+jhtNQ...(envelope-from <okeanihe393@archehome.com.tw>)...for <ccarrasco@agecomex.cl>; Wed, 17 Apr 2024 12:34:39 -0400..Received: from [181.225.27.55] (helo=cus

                                                                                                                                                      Static Mail

                                                                                                                                                      General

                                                                                                                                                      Subject:Fw:
                                                                                                                                                      From:roscoe hee-sub <okeanihe393@archehome.com.tw>
                                                                                                                                                      To:ccarrasco@agecomex.cl
                                                                                                                                                      Cc:
                                                                                                                                                      BCC:
                                                                                                                                                      Date:Wed, 17 Apr 2024 09:33:36 -0400
                                                                                                                                                      Communications:
                                                                                                                                                      • Notificacin Importante Saludos, Te encuentras al borde de un conflicto legal serio. Esta es tu ltima oportunidad para eludir consecuencias severas y proteger tu imagen pblica. Tu sistema ha sido comprometido. Hemos transferido todos tus datos a nuestros servidores. Un troyano ha sido instalado en los sistemas de todos tus dispositivos con acceso a Internet. Este programa nos permite controlar completamente tus dispositivos. Este virus es indetectable gracias a tcnicas de encriptacin avanzadas. Las firmas del virus se eliminan automticamente cada da. Ya hemos transferido todos tus datos a nuestros servidores. Accedemos a tus correos electrnicos, aplicaciones de mensajera, redes sociales y contactos. Durante la recopilacin de datos de tus dispositivos, descubrimos informacin comprometedora. Observamos tu inclinacin por contenidos para adultos y tus actividades mientras los visualizas. Poseemos grabaciones de tu pantalla durante estas sesiones. Hemos creado un video que te muestra claramente disfrutando de estos contenidos, lo cual podra destruir tu reputacin si se hace pblico. Tambin hemos encontrado en tu dispositivo informacin cuya posesin es ilegal en tu pas. Esto podra ocasionarte problemas legales. Podemos distribuir evidencia de tus actividades ilcitas a todos tus contactos y hacerlas pblicas. Tenemos en nuestro poder gran cantidad de tu informacin personal: historial de navegacin, correspondencia, llamadas, fotos y videos. Podemos exponer toda esta informacin. Esto seguramente atraer la atencin de la polica y otras autoridades de tu pas. Con solo un clic, puedo hacer pblica toda la informacin de tu dispositivo. Considera las consecuencias. Sera un desastre absoluto. Tu vida se vera devastada. Querrs evitar esto, no es as? La solucin es simple. Debes transferirme 1300 USD (US dollars) (en bitcoin, segn la tasa de cambio al momento de la transferencia). Luego eliminar toda la informacin sobre ti de nuestros servidores. No te molestar nuevamente. Mi direccin de bitcoin para el pago: 115iJ7tvwXEKZb2A4u35P5z2zFPWXnVA5y Si desconoces qu es Bitcoin o cmo usarlo, investiga en Google. Tienes 2 das hbiles para realizar el pago. Este correo electrnico iniciar el contador automticamente tras ser abierto, ya que se me notificar. No necesita responder a esta carta, es imposible rastrearla. No busques ayuda; la direccin de bitcoin es annima y solo perderas tiempo. La polica y otras autoridades no podrn asistirte. En caso de no actuar segn lo indicado, publicar los videos inmediatamente. Cambiar tus contraseas ya no servir de nada, pues toda tu informacin est segura en nuestros servidores. Espero tomes la decisin acertada. No necesita responder a esta carta.
                                                                                                                                                      Attachments:

                                                                                                                                                        Headers

                                                                                                                                                        Key Value
                                                                                                                                                        Receivedfrom [181.225.27.55] (helo=customer-54.tpp.com.ar.27.225.181.in-addr.arpa) by hercules.tuhosting.cl with esmtp (Exim 4.97.1) (envelope-from <okeanihe393@archehome.com.tw>) id 1rx8F1-0000000DUZw-1wyh for ccarrasco@agecomex.cl; Wed, 17 Apr 2024 12:34:38 -0400
                                                                                                                                                        Fromroscoe hee-sub <okeanihe393@archehome.com.tw>
                                                                                                                                                        Toccarrasco@agecomex.cl
                                                                                                                                                        SubjectFw:
                                                                                                                                                        DateWed, 17 Apr 2024 09:33:36 -0400
                                                                                                                                                        Message-ID<39b9b8ce-d638-cfa0-2021-574fa15639b9@archehome.com.tw>
                                                                                                                                                        Content-Typemultipart/alternative; boundary="----=_NextPart_000_0075_01DA917A.D8535AF0"
                                                                                                                                                        X-MailerMicrosoft Outlook 16.0
                                                                                                                                                        Thread-IndexAQGksKAlZ20FP/GpMlgb335OIsprvA==
                                                                                                                                                        Content-Languageen-us
                                                                                                                                                        X-Antivirus-ScannerClean mail though you should still use an Antivirus
                                                                                                                                                        X-Message-CompletedWed, 17 Apr 2024 13:28:00 -0400
                                                                                                                                                        X-Message-FlagSeguimiento
                                                                                                                                                        MIME-Version1.0

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:46070c0a8e0c67d6

                                                                                                                                                        Network Behavior

                                                                                                                                                        No network behavior found

                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:18:35:20
                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Fw_.eml"
                                                                                                                                                        Imagebase:0x480000
                                                                                                                                                        File size:34'446'744 bytes
                                                                                                                                                        MD5 hash:91A5292942864110ED734005B7E005C0
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:1
                                                                                                                                                        Start time:18:35:21
                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "77663507-5279-4BB0-8C02-6DE0FF5253CA" "12FC05C9-D86E-48A7-9888-D2FE2841325E" "7564" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                                                                                                                                        Imagebase:0x7ff7e6880000
                                                                                                                                                        File size:710'048 bytes
                                                                                                                                                        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:false

                                                                                                                                                        Disassembly

                                                                                                                                                        No disassembly