Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PAYMENT NOTIFICATION.msg

Overview

General Information

Sample name:PAYMENT NOTIFICATION.msg
Analysis ID:1428852
MD5:3f270bbe48c84b633c37d0493a2f4df6
SHA1:ca9f9d6940bed22a96926898556c24e60a0ef26b
SHA256:4f04f02f0e9d7f25b362d4dbc7a5f46e30e5d1ef1292aa2ed903901a0b551d35
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 5708 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\PAYMENT NOTIFICATION.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 2612 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "F50E66AD-0314-4E7A-B7E8-990ACE83531A" "7E3B2C7E-8387-4280-BACE-50728405353B" "5708" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5708, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.aadrm.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.aadrm.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.cortana.ai
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.microsoftstream.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.office.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.onedrive.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://api.scheduler.
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://augloop.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://augloop.office.com/v2
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://cdn.entity.
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://clients.config.office.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://clients.config.office.net/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://config.edge.skype.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://cortana.ai
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://cortana.ai/api
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://cr.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://d.docs.live.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://dev.cortana.ai
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://devnull.onenote.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://directory.services.
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ecs.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://edge.skype.com/rps
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://graph.windows.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://graph.windows.net/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ic3.teams.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://invites.office.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://lifecycle.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://login.microsoftonline.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://login.windows.local
Source: OUTLOOK_16_0_16827_20130-20240419T1802550840-5708.etl.0.drString found in binary or memory: https://login.windows.localnulle.OX
Source: OUTLOOK_16_0_16827_20130-20240419T1802550840-5708.etl.0.drString found in binary or memory: https://login.windows.localnullffiD
Source: OUTLOOK_16_0_16827_20130-20240419T1802550840-5708.etl.0.drString found in binary or memory: https://login.windows.localtloR
Source: OUTLOOK_16_0_16827_20130-20240419T1802550840-5708.etl.0.drString found in binary or memory: https://login.windows.localuidR
Source: App1713542576026413400_481A097A-73E8-45A4-88B1-E20CBAF6474E.log.0.drString found in binary or memory: https://login.windows.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://make.powerautomate.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://management.azure.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://management.azure.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://messaging.action.office.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://messaging.office.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ncus.contentsync.
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://officeapps.live.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://officepyservice.office.net/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://onedrive.live.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://outlook.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://outlook.office.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://outlook.office365.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://outlook.office365.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://powerlift.acompli.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://res.cdn.office.net
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://settings.outlook.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://staging.cortana.ai
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://substrate.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://tasks.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://webshell.suite.office.com
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://wus2.contentsync.
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winMSG@3/16@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240419T1802550840-5708.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\PAYMENT NOTIFICATION.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "F50E66AD-0314-4E7A-B7E8-990ACE83531A" "7E3B2C7E-8387-4280-BACE-50728405353B" "5708" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "F50E66AD-0314-4E7A-B7E8-990ACE83531A" "7E3B2C7E-8387-4280-BACE-50728405353B" "5708" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Modify Registry		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428852 Sample: PAYMENT NOTIFICATION.msg Startdate: 19/04/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 93 120 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://otelrules.svc.static.microsoft0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
    		high
    https://login.microsoftonline.com/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
      		high
      https://shell.suite.office.com:1443ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
        		high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
          		high
          https://autodiscover-s.outlook.com/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
            		high
            https://useraudit.o365auditrealtimeingestion.manage.office.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
              		high
              https://outlook.office365.com/connectorsED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                		high
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                  		high
                  https://cdn.entity.ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.addins.omex.office.net/appinfo/queryED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                    		high
                    https://clients.config.office.net/user/v1.0/tenantassociationkeyED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                      		high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                        		high
                        https://powerlift.acompli.netED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://lookup.onenote.com/lookup/geolocation/v1ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                          		high
                          https://cortana.aiED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                            		high
                            https://api.powerbi.com/v1.0/myorg/importsED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                              		high
                              https://cloudfiles.onenote.com/upload.aspxED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                		high
                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                  		high
                                  https://entitlement.diagnosticssdf.office.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                    		high
                                    https://api.aadrm.com/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ic3.teams.office.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                      		high
                                      https://www.yammer.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                        		high
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                          		high
                                          https://api.microsoftstream.com/api/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                            		high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                              		high
                                              https://login.windows.localnulle.OXOUTLOOK_16_0_16827_20130-20240419T1802550840-5708.etl.0.drfalse
                                                		unknown
                                                https://cr.office.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                  		high
                                                  https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                    		low
                                                    https://messagebroker.mobile.m365.svc.cloud.microsoftED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://otelrules.svc.static.microsoftED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://portal.office.com/account/?ref=ClientMeControlED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                      		high
                                                      https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                        		high
                                                        https://edge.skype.com/registrar/prodED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                          		high
                                                          https://graph.ppe.windows.netED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                            		high
                                                            https://res.getmicrosoftkey.com/api/redemptioneventsED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://powerlift-frontdesk.acompli.netED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://tasks.office.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                              		high
                                                              https://officeci.azurewebsites.net/api/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/workED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                		high
                                                                https://login.windows.localtloROUTLOOK_16_0_16827_20130-20240419T1802550840-5708.etl.0.drfalse
                                                                  		unknown
                                                                  https://api.scheduler.ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://my.microsoftpersonalcontent.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://login.windows.localnullffiDOUTLOOK_16_0_16827_20130-20240419T1802550840-5708.etl.0.drfalse
                                                                    		unknown
                                                                    https://store.office.cn/addinstemplateED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://api.aadrm.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://edge.skype.com/rpsED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                      		high
                                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                        		high
                                                                        https://globaldisco.crm.dynamics.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                          		high
                                                                          https://messaging.engagement.office.com/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                            		high
                                                                            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                              		high
                                                                              https://dev0-api.acompli.net/autodetectED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://www.odwebp.svc.msED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://api.diagnosticssdf.office.com/v2/feedbackED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                		high
                                                                                https://api.powerbi.com/v1.0/myorg/groupsED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                  		high
                                                                                  https://web.microsoftstream.com/video/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                    		high
                                                                                    https://api.addins.store.officeppe.com/addinstemplateED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://graph.windows.netED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                      		high
                                                                                      https://dataservice.o365filtering.com/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://officesetup.getmicrosoftkey.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://analysis.windows.net/powerbi/apiED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                        		high
                                                                                        https://prod-global-autodetect.acompli.net/autodetectED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://substrate.office.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                          		high
                                                                                          https://outlook.office365.com/autodiscover/autodiscover.jsonED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                            		high
                                                                                            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                              		high
                                                                                              https://consent.config.office.com/consentcheckin/v1.0/consentsED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                		high
                                                                                                https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                  		high
                                                                                                  https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                    		high
                                                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                      		high
                                                                                                      https://d.docs.live.netED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                        		unknown
                                                                                                        https://safelinks.protection.outlook.com/api/GetPolicyED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                          		high
                                                                                                          https://ncus.contentsync.ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                            		high
                                                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                              		high
                                                                                                              http://weather.service.msn.com/data.aspxED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                		high
                                                                                                                https://apis.live.net/v5.0/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://officepyservice.office.net/service.functionalityED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                  		high
                                                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                    		high
                                                                                                                    https://templatesmetadata.office.net/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                      		high
                                                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                        		high
                                                                                                                        https://messaging.lifecycle.office.com/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                          		high
                                                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                            		high
                                                                                                                            https://pushchannel.1drv.msED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                              		high
                                                                                                                              https://management.azure.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                		high
                                                                                                                                https://outlook.office365.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://login.windows.netApp1713542576026413400_481A097A-73E8-45A4-88B1-E20CBAF6474E.log.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://wus2.contentsync.ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://incidents.diagnostics.office.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://clients.config.office.net/user/v1.0/iosED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://make.powerautomate.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        https://api.addins.omex.office.net/api/addins/searchED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://insertmedia.bing.office.net/odc/insertmediaED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://login.windows.localuidROUTLOOK_16_0_16827_20130-20240419T1802550840-5708.etl.0.drfalse
                                                                                                                                              		unknown
                                                                                                                                              https://outlook.office365.com/api/v1.0/me/ActivitiesED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://api.office.netED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://incidents.diagnosticssdf.office.comED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://asgsmsproxyapi.azurewebsites.net/ED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://clients.config.office.net/user/v1.0/android/policiesED7D0167-8900-468D-9EC3-951B5AABC6E5.0.drfalse
                                                                                                                                                      		high

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      No contacted IP infos

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                      Analysis ID:1428852
                                                                                                                                                      Start date and time:2024-04-19 18:01:57 +02:00
                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 4m 24s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:full
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                      Number of analysed new started processes analysed:9
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Sample name:PAYMENT NOTIFICATION.msg
                                                                                                                                                      Detection:CLEAN
                                                                                                                                                      Classification:clean1.winMSG@3/16@0/0
                                                                                                                                                      EGA Information:Failed
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Found application associated with file extension: .msg

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 52.109.52.131, 52.109.16.112, 96.7.224.75, 96.7.224.32, 52.113.194.132, 13.89.179.11
                                                                                                                                                      • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, osiprod-ncus-buff-azsc-000.northcentralus.cloudapp.azure.com, asia.configsvc1.live.com.akadns.net, ncus-azsc-000.roaming.officeapps.live.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, officeclient.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, onedscolprdcus15.centralus.cloudapp.azure.com, tile-service.weather.microsoft.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, jpe-azsc-config.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net
                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • VT rate limit hit for: PAYMENT NOTIFICATION.msg

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      No simulations

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      No context

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASNs

                                                                                                                                                      No context

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):231348
                                                                                                                                                      Entropy (8bit):4.382058910206557
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:JMYLsPgsO4tSnVv1Cgs+nNcAz79ysQqt2L6pFqoQ0Brcm0Fve98ywUFMz5Z4DkpC:t0gjV0gDmiGu2WqoQCrt0FvApISQkn8k
                                                                                                                                                      MD5:293E1DE53AFCF659D7CE0E2270A59867
                                                                                                                                                      SHA1:DB091BA720955B2524983C1EE7224FA8930F28CE
                                                                                                                                                      SHA-256:C0C9600B147E03686C9EF7373B7DB53D1222FA39B2FBDB36309E106878D86787
                                                                                                                                                      SHA-512:83E4A45E88CB54EAC50843DF42DAA3C19226DBE2274A8F2A963E62273A86907EA438BCF9CEA6646BB47510D887F515C4194395E6BBEAA50EB40138F65F520510
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:TH02...... .0.S.s.......SM01X...,...P+E.s...........IPM.Activity...........h...............h............H..h..o...........h........xC..H..h\eng ...r\Ap...h.R..0.....o....h..G............h........_`bj...hA.G.@...I.6w...h....H...8.gj...0....T...............d.........2h...............kd.o.....P.o...!h.............. h..e"......o...#h....8.........$hxC......8....."hx.......X.....'h..............1h..G.<.........0h....4....gj../h....h.....gjH..h.$..p.....o...-h .......D.o...+h..G......o................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):322260
                                                                                                                                                      Entropy (8bit):4.000299760592446
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
                                                                                                                                                      MD5:CC90D669144261B198DEAD45AA266572
                                                                                                                                                      SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
                                                                                                                                                      SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
                                                                                                                                                      SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):10
                                                                                                                                                      Entropy (8bit):2.7219280948873625
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Lf:T
                                                                                                                                                      MD5:463F763805126334557161753A18DF0A
                                                                                                                                                      SHA1:FE8E4431B8A6DF4FCFFFAD0AD40D024BD0BE552F
                                                                                                                                                      SHA-256:83B5705EBD553A077A5030CBB2121A00BD91FE9C969FE83175712F86CAED4E9F
                                                                                                                                                      SHA-512:FE19CCAA2F932CE9D22F1AA50E5A0759CD0602292D46CFA0F81A405CC756E1E47A3844F91BB4852228FAC250FCB92424CFF8E2A06A725269B2DA1D105765C47C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:1713542579

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\ED7D0167-8900-468D-9EC3-951B5AABC6E5

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):166203
                                                                                                                                                      Entropy (8bit):5.340916466329012
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:z+C7FPgOsB3U9guwwJQ9DQA+zqzhQik4F77nXmvYd8XRTEwreOR6g:iIQ9DQA+zqzMXeMJ
                                                                                                                                                      MD5:2915FA029B6EEE891D7C024C308F2AB6
                                                                                                                                                      SHA1:624ED71A477C73392AD42DFC8CBB908255429F3F
                                                                                                                                                      SHA-256:4730411D38C37C68BCC0A58EBCCA9B982BE4285D823E60BD2DEE532BE247522C
                                                                                                                                                      SHA-512:B485A2A85ECA2A4FE5D3C1DC3E3B26D0509C24631134D1A449E7DB0652409FF5CA15656962D0DA3D6F964BE94FC098B23E6599FCD3099F2DFEF768458277E724
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-04-19T16:02:58">.. Build: 16.0.17609.40129-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4096
                                                                                                                                                      Entropy (8bit):0.09216609452072291
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:lSWFN3l/klslpF/4llfll:l9F8E0/
                                                                                                                                                      MD5:F138A66469C10D5761C6CBB36F2163C3
                                                                                                                                                      SHA1:EEA136206474280549586923B7A4A3C6D5DB1E25
                                                                                                                                                      SHA-256:C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
                                                                                                                                                      SHA-512:9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview:SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:SQLite Rollback Journal
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4616
                                                                                                                                                      Entropy (8bit):0.13760166725504608
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:7FEG2l+1qWl/FllkpMRgSWbNFl/sl+ltlslVlllfllM5n:7+/lx4g9bNFlEs1EP/c5
                                                                                                                                                      MD5:486A61B0DF35644D82E7B74513B167CA
                                                                                                                                                      SHA1:E080ECE33BF6CB7B627B9608991C7F0189947F7D
                                                                                                                                                      SHA-256:86A1D4A84DFB2A04F5A780F737EC998B885854AFD3EADEDFDB864593A2EA1389
                                                                                                                                                      SHA-512:6EFBEA9C7C8105CA0F45DA8AF7109AF43617FD01430C437927DBAF29F0C69743679AFE53ECC08F45E49679937D0643A6D28B288AFC90A16E69F47B21ED5DBB00
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:.... .c.....P.l\....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):32768
                                                                                                                                                      Entropy (8bit):0.04446227416749482
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:G4l22X1Nsksol/4l22X1Nsk0/ElL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l22FNswt4l22FNsEL9XXPH4l942U
                                                                                                                                                      MD5:9DC0730E6078DA28588EC8B4A96BB58C
                                                                                                                                                      SHA1:BB890DD425E4FAAB068699123F81930DAE09D2A0
                                                                                                                                                      SHA-256:699F474EBD21413E59E8A13A027A91B94533CFA778AF410E2CBD139E35610443
                                                                                                                                                      SHA-512:7BAA797C9104848A38D75CC6F67D3A143F988F9BA86AE30A4574A4606E1DEAE1DE7CF95A613E697C6FFBDD3544566FF5D933E69392FD11F976CFE7785951FA41
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:..-..........................8h....6.......A..I..-..........................8h....6.......A..I........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):45352
                                                                                                                                                      Entropy (8bit):0.39649331440474
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:KyLBiXQ3zRDgUll7DBtDi4kZERD8Szqt8VtbDBtDi4kZERD9N/:3BiXQ10Ull7DYMISzO8VFDYM
                                                                                                                                                      MD5:C9B809526364CF7E9104C63675459929
                                                                                                                                                      SHA1:A49B654304EB1C0BEE6125486F3EEDB65356B901
                                                                                                                                                      SHA-256:15152EF142503ADE3BEEC8794594203B79BE23CC2236BDF919180E5A50383885
                                                                                                                                                      SHA-512:68C40C49D2DDADA5DA3A47B52CD88BE73D5DF4BB284F50F313F5EF667A47592DA3C98E92837D2FDCE0FE647CFF88EA7A681C4B81F74E329AEFBF9CE8E37E029D
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:7....-.............6...c...c.............6...........SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713542576026413400_481A097A-73E8-45A4-88B1-E20CBAF6474E.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:ASCII text, with very long lines (1979), with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):20971520
                                                                                                                                                      Entropy (8bit):0.006438476352331873
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:07MhgeAKTCh9j2FqwkLmcCMxp4qIn0pBG:07MfTu9j2FqwXMv9I0pBG
                                                                                                                                                      MD5:3485884B185B2A8DF2D4EA443A7969FE
                                                                                                                                                      SHA1:5E1D48313BE791755158577E7C553EF2222E6D9C
                                                                                                                                                      SHA-256:13508A3A2A3B3E77947588555200CBAE29A906977D4EAC69B1402838DD1D0668
                                                                                                                                                      SHA-512:3D308336505506F529CE74A026C770909F65B5EA2D3124A6455068AA0B1E8B3079E0DEA971D1AF632E255907855AF1F9CD5FEBC98AADC4547F63281581978388
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..04/19/2024 16:02:56.090.OUTLOOK (0x164C).0x1648.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.System.GracefulExit.GracefulAppExitDesktop","Flags":33777014402039809,"InternalSequenceNumber":17,"Time":"2024-04-19T16:02:56.090Z","Data.PreviousAppMajor":16,"Data.PreviousAppMinor":0,"Data.PreviousAppBuild":16827,"Data.PreviousAppRevision":20130,"Data.PreviousSessionId":"EC6CE8B8-419B-4470-A889-A48763A30FC2","Data.PreviousSessionInitTime":"2024-04-19T16:02:42.648Z","Data.PreviousSessionUninitTime":"2024-04-19T16:02:45.664Z","Data.SessionFlags":4,"Data.InstallMethod":0,"Data.OfficeUILang":1033,"Data.PreviousBuild":"Unknown","Data.EcsETag":"\"\"","Data.ProcessorArchitecture":"x64"}...04/19/2024 16:02:56.121.OUTLOOK (0x164C).0xA54.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"Time":"2

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713542576027248300_481A097A-73E8-45A4-88B1-E20CBAF6474E.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):20971520
                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3::
                                                                                                                                                      MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                      SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                      SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                      SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240419T1802550840-5708.etl

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):118784
                                                                                                                                                      Entropy (8bit):4.653805265408332
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:768:Ve5Nm4pAbT2WJXyR34nm9ygMQRoXN2rRr5cLzw8CFjAmCRGWrA7HUOQIk6:VsiA4nm9ygSXDCFjABDA7HT
                                                                                                                                                      MD5:EE443492DF01E49993607CEAF8A0B46C
                                                                                                                                                      SHA1:3854EBB0857D0073B2F4873983D1E92ABDC3F9AF
                                                                                                                                                      SHA-256:5F34EAC6440CEF61B76EA79A918F6B355934C618835EB801BEFFEAA9DCC3FF4D
                                                                                                                                                      SHA-512:BF7EBB290CDC9160BED6BF8B390B2A5D1874DCBBCFC7AAB2675C174D74F7B2AAC10FF67E03DFE1449852BD11F6083CD305224196BCD5B9D9F0384D9DCA9D667C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:............................................................................h...H...L.......s...................eJ..............Zb..2.......................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1...............................................................F...............s...........v.2._.O.U.T.L.O.O.K.:.1.6.4.c.:.5.9.2.1.6.b.8.2.3.9.0.d.4.b.a.d.a.4.3.8.d.b.6.3.f.c.4.c.c.8.a.d...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.4.1.9.T.1.8.0.2.5.5.0.8.4.0.-.5.7.0.8...e.t.l.......P.P.H...L.......s...................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF8B5A0F0A84D2D3A8.TMP

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):163840
                                                                                                                                                      Entropy (8bit):0.36051259614322234
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:MLM7t/3tycGaC6jCj358hvNGi6mbtNNN0NgiXHWQOoqAbAq/:N9yraCpj3W9Nd6mbtnNDiXHOoqM
                                                                                                                                                      MD5:F45228DDFA769B391E65A2D7469D2D26
                                                                                                                                                      SHA1:E1F2CAD1CE733927E9A8C4701EA21149B46BCBBF
                                                                                                                                                      SHA-256:796B4395AE6544464FB8FCE8445F4320B8E953CB12B9B95B6C2FEB5B0ED0178D
                                                                                                                                                      SHA-512:13E3B1E0B4E9F6D1C9E6076186C98EE22AA449D659CA89D86CDD936ED8D1816E0F907EA2C46E54482B34D8545EF7D918BDAEBA9F7DB859756163E239D9B09677
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):30
                                                                                                                                                      Entropy (8bit):1.2389205950315936
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:oilh1:oi
                                                                                                                                                      MD5:47B14757DB8EC6706A953B78D7101DA7
                                                                                                                                                      SHA1:E2A0251C3F88E3EA9370351B628A31EA54D5FE04
                                                                                                                                                      SHA-256:0D266985BC1AA75CE2C7E81EE66A3812442BEFDF0FDD0708D5BEAB60B313AC93
                                                                                                                                                      SHA-512:4C53A060167C0E4A1AB3EAF2D0C0E2F24CBCC3F2BFC005FE8F50ED9DD18BE5DD806813D81EDED02DC18786680DEF6292DE2D5A874C1F54C0C4B7CBDAF06055E9
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:.....^........................

                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):16384
                                                                                                                                                      Entropy (8bit):0.6687345669070093
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:rl3baFIf/sqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheC6so5x:rdmnq1Py9616so5x
                                                                                                                                                      MD5:5B471EC77F78BC6154D56F2127B4BBD8
                                                                                                                                                      SHA1:7E631D9638E1DEB19D5A86F58F1FB65CC68A443A
                                                                                                                                                      SHA-256:06FE5EEB45308B5488A2F3DBABF2C2ED50D1ABFB5414DB76CE4E4D0880FFDB93
                                                                                                                                                      SHA-512:DBF51A406AFB55983FD5701AFE19029527F1291D497662A14E6E565276425B876B53B1397C0EC920D41C6864210A344DAE453C96D1E177E28964E3C6AD241A37
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:Microsoft Outlook email folder (>=2003)
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):271360
                                                                                                                                                      Entropy (8bit):1.4688071995695262
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:768:aQcdRndRBTBvwWGdi8BUTIZrqXZqs0txqQVbPEK2GFqBf:8dXTG4eNZrqXZqsgq88KfYf
                                                                                                                                                      MD5:4BCE194F2EF02B07CA59A4B72DED45F0
                                                                                                                                                      SHA1:23F229917EAACAC9CF394875F822A6A84977433B
                                                                                                                                                      SHA-256:BF25CABC58A292A97F8922A723C394DEF729B9F69186386C812B63BA2563C4E0
                                                                                                                                                      SHA-512:06EE4D71C70B846D330B493481BFFEC18185A726D72B3EBA1B86F7D6CB3A9876D684FCF73F19D5C54A80A7DCCE5D2D8F01DF6291828756CEC094EC8AFA1067D8
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:!BDNI..bSM......\....\..................\................@...........@...@...................................@...........................................................................$.......D.......C..........................................................................................................................................................................................................................................................................................................................H.......N..S..w.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):131072
                                                                                                                                                      Entropy (8bit):0.8714686944851882
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:pv2bqCq4RTgDaAVPNLA/vurMVtoKLaRsl7IDT4/i1R434c66V0zPlz:92nqBKGrEW2l7uTH1RU66UP
                                                                                                                                                      MD5:3BA6BFB01E64BD7ED43B93E6FE0AE0EE
                                                                                                                                                      SHA1:55B7F00B15901FA8B4DD8A814FC00147CB62C763
                                                                                                                                                      SHA-256:F4F005A66A2977270D92DEAD1C64A1C3B274381D4D2AA2B73F7F215C4F0964AE
                                                                                                                                                      SHA-512:5902072B93BA38BFE22E972D377D1B53BE510933721FF9975E654A6693C1CA0DFDAE2D184290E15D6BDB21F3BA219CE368AF0F73A83F027C99EBE114431D9D5D
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:.t..C...O.......L...s...s.....................#.!BDNI..bSM......\....\..................\................@...........@...@...................................@...........................................................................$.......D.......C..........................................................................................................................................................................................................................................................................................................................H.......N..S..w.s...s........~............#.p...............4.......t........c......n.......x........W..........P...|........m..................................0...............................................0............V......8...p...,........g..........p ..0.......@.......>....!..4....................!..8.......@a..........P"..<........H..........."..D...............n...0$..D...............n...0$..@........H...........#..........

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:CDFV2 Microsoft Outlook Message
                                                                                                                                                      Entropy (8bit):3.636434950175921
                                                                                                                                                      TrID:
                                                                                                                                                      • Outlook Message (71009/1) 58.92%
                                                                                                                                                      • Outlook Form Template (41509/1) 34.44%
                                                                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                                                                                                                                                      File name:PAYMENT NOTIFICATION.msg
                                                                                                                                                      File size:90'112 bytes
                                                                                                                                                      MD5:3f270bbe48c84b633c37d0493a2f4df6
                                                                                                                                                      SHA1:ca9f9d6940bed22a96926898556c24e60a0ef26b
                                                                                                                                                      SHA256:4f04f02f0e9d7f25b362d4dbc7a5f46e30e5d1ef1292aa2ed903901a0b551d35
                                                                                                                                                      SHA512:fd8bfe470cfac58474dc8dd119ff87ff8b81145a58d935c700b302e937e8c4a3b69a916c5d020cce130a8c28424c0d409c30a15cb2403643172cd56dda84529a
                                                                                                                                                      SSDEEP:1536:om1cshWe1WejMiU7iIQxWuKxbYiwHyUrbYiwHyU:om1csveQcSPS
                                                                                                                                                      TLSH:F993342039FA5119F2B7EF3149E290D7893AFD92AD11965F3191334E0A72941ECB1B3B
                                                                                                                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                      Static Mail

                                                                                                                                                      General

                                                                                                                                                      Subject:PAYMENT NOTIFICATION
                                                                                                                                                      From:"Federal Reserve Bank" <atmdept5555@gmail.com>
                                                                                                                                                      To:kentsa@audits.ga.gov
                                                                                                                                                      Cc:
                                                                                                                                                      BCC:
                                                                                                                                                      Date:Fri, 19 Apr 2024 09:34:22 +0200
                                                                                                                                                      Communications:
                                                                                                                                                      • CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Attention; Sir/Madam, How are you and your families today? I hope all is well. I'm obliged to inform you that we received a fax notification from one Ms. Tatyana Cole, who claimed to be your representative, stating that you have been sick, and for that reason you have not been responding to emails messages. Furthermore, she stated you have authorized her to receive the ($10,500,000.00) Ten Million Five Hundred Thousand Dollars on your behalf, and the funds should be transferred to her direct bank account as follows; Bank Name; Wells Fargo Bank Account number; 6338102886 Routing number; 021000658 Account name; Tatyana Cole, However, she is ready to pay the required statutory fee for the fund to be transferred to her bank account now. So please we wish to confirm if truly the woman was your representative or not before we proceed in releasing the $10.5m fund to her bank account mentioned above. Failure to hear from you within the next 48 hours, we shall assume she is right with her claims. Awaiting your urgent response to this message. Yours sincerely, Mr James Howard Director, Remittance Dept. Federal Reserve Bank
                                                                                                                                                      Attachments:

                                                                                                                                                        Headers

                                                                                                                                                        Key Value
                                                                                                                                                        Receivedfrom wax0cwn.com (101.230.65.66) by
                                                                                                                                                        (260310b6:5:160::22) with Microsoft SMTP Server (version=TLS1_2,
                                                                                                                                                        HTTPS; Fri, 19 Apr 2024 0734:20 +0000
                                                                                                                                                        by MW4PR09MB10119.namprd09.prod.outlook.com (260310b6:303:1f0::21) with
                                                                                                                                                        2024 0734:16 +0000
                                                                                                                                                        Transport; Fri, 19 Apr 2024 0734:16 +0000
                                                                                                                                                        Authentication-Resultsspf=softfail (sender IP is 101.230.65.66)
                                                                                                                                                        Received-SPFSoftFail (protection.outlook.com: domain of transitioning
                                                                                                                                                        0734:06 +0000
                                                                                                                                                        From"Federal Reserve Bank" <atmdept5555@gmail.com>
                                                                                                                                                        SubjectPAYMENT NOTIFICATION
                                                                                                                                                        Tokentsa@audits.ga.gov
                                                                                                                                                        Content-Typetext/plain; charset=us-ascii
                                                                                                                                                        Reply-To"Federal Reserve Bank" <jameshoward0221@gmail.com>,
                                                                                                                                                        DateFri, 19 Apr 2024 08:34:22 +0100
                                                                                                                                                        X-Priority3
                                                                                                                                                        Message-ID<9c2a4049-4d65-43ca-bd82-6ee80a7435c1@BL02EPF0001B419.namprd09.prod.outlook.com>
                                                                                                                                                        Return-Pathatmdept5555@gmail.com
                                                                                                                                                        X-MS-Exchange-Organization-ExpirationStartTime19 Apr 2024 07:34:15.8428
                                                                                                                                                        X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
                                                                                                                                                        X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
                                                                                                                                                        X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
                                                                                                                                                        X-MS-Exchange-Organization-Network-Message-Id15974605-7f32-4d4c-0ffc-08dc60431dc7
                                                                                                                                                        X-EOPAttributedMessage0
                                                                                                                                                        X-EOPTenantAttributedMessage3ba88d15-70d4-4b83-8474-db703319c2a0:0
                                                                                                                                                        X-MS-Exchange-Organization-MessageDirectionalityIncoming
                                                                                                                                                        X-MS-PublicTrafficTypeEmail
                                                                                                                                                        X-MS-TrafficTypeDiagnosticBL02EPF0001B419:EE_|MW4PR09MB10119:EE_|SA1PR09MB7472:EE_
                                                                                                                                                        MIME-Version1.0
                                                                                                                                                        X-MS-Exchange-Organization-AuthSourceBL02EPF0001B419.namprd09.prod.outlook.com
                                                                                                                                                        X-MS-Exchange-Organization-AuthAsAnonymous
                                                                                                                                                        X-MS-Office365-Filtering-Correlation-Id15974605-7f32-4d4c-0ffc-08dc60431dc7
                                                                                                                                                        X-MS-Exchange-AtpMessagePropertiesSA|SL
                                                                                                                                                        Content-Transfer-Encodingquoted-printable
                                                                                                                                                        X-MS-Exchange-Organization-SCL5
                                                                                                                                                        X-Forefront-Antispam-ReportCIP:101.230.65.66;CTRY:CN;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:wax0cwn.com;PTR:InfoDomainNonexistent;CAT:SPOOF;SFS:(13230031)(7093399003)(3613699003)(18016005);DIR:INB;
                                                                                                                                                        X-Microsoft-AntispamBCL:0;
                                                                                                                                                        X-MS-Exchange-CrossTenant-OriginalArrivalTime19 Apr 2024 07:34:06.0147
                                                                                                                                                        X-MS-Exchange-CrossTenant-Network-Message-Id15974605-7f32-4d4c-0ffc-08dc60431dc7
                                                                                                                                                        X-MS-Exchange-CrossTenant-Id3ba88d15-70d4-4b83-8474-db703319c2a0
                                                                                                                                                        X-MS-Exchange-CrossTenant-AuthSourceBL02EPF0001B419.namprd09.prod.outlook.com
                                                                                                                                                        X-MS-Exchange-CrossTenant-AuthAsAnonymous
                                                                                                                                                        X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                                                                                                                                                        X-MS-Exchange-Transport-CrossTenantHeadersStampedMW4PR09MB10119
                                                                                                                                                        X-MS-Exchange-Transport-EndToEndLatency00:00:14.7227886
                                                                                                                                                        X-MS-Exchange-Processed-By-BccFoldering15.20.7472.035
                                                                                                                                                        X-Microsoft-Antispam-Mailbox-Deliverydwl:1;ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(831239)(255002)(410001)(930097)(140003)(1420198);
                                                                                                                                                        X-Microsoft-Antispam-Message-Info=?us-ascii?Q?HlJyVEZoOlRZ/1LG2qgb/TtDPO5Cng9JZvdtFd7AOebUZl9g1qRBdx6CQ3fK?=
                                                                                                                                                        dateFri, 19 Apr 2024 09:34:22 +0200

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:c4e1928eacb280a2

                                                                                                                                                        Network Behavior

                                                                                                                                                        No network behavior found

                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:18:02:55
                                                                                                                                                        Start date:19/04/2024
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\PAYMENT NOTIFICATION.msg"
                                                                                                                                                        Imagebase:0xee0000
                                                                                                                                                        File size:34'446'744 bytes
                                                                                                                                                        MD5 hash:91A5292942864110ED734005B7E005C0
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:false

                                                                                                                                                        General

                                                                                                                                                        Target ID:2
                                                                                                                                                        Start time:18:02:56
                                                                                                                                                        Start date:19/04/2024
                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "F50E66AD-0314-4E7A-B7E8-990ACE83531A" "7E3B2C7E-8387-4280-BACE-50728405353B" "5708" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                                                                                                                                        Imagebase:0x7ff694ff0000
                                                                                                                                                        File size:710'048 bytes
                                                                                                                                                        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:false

                                                                                                                                                        Disassembly

                                                                                                                                                        No disassembly