Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Urgent Quotation.msg

Overview

General Information

Sample name:Urgent Quotation.msg
Analysis ID:1432035
MD5:71a6520ba2e67cb74200511b576aed68
SHA1:e458766390bfc7513ba9c1122224d39e7b35675a
SHA256:09193d00a915fb11dba8423034dc53e95aa426205600fcbbc84550f844eaa34f
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 6728 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Urgent Quotation.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 1008 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FCCC2CBB-B9FA-48B5-81AF-A11DD4271E5B" "5B0A904E-96E0-4E3A-8F5F-1A19C090AC5A" "6728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.aadrm.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.aadrm.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.cortana.ai
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.office.net
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.onedrive.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://api.scheduler.
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://augloop.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://cdn.entity.
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://clients.config.office.net
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://clients.config.office.net/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://config.edge.skype.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://cortana.ai
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://cortana.ai/api
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://cr.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://d.docs.live.net
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://dev.cortana.ai
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://devnull.onenote.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://directory.services.
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ecs.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://graph.windows.net
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://graph.windows.net/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://invites.office.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://lifecycle.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://login.windows.local
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://make.powerautomate.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://management.azure.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://management.azure.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://messaging.office.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ncus.contentsync.
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://officeapps.live.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://onedrive.live.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://outlook.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://outlook.office.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://outlook.office365.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://outlook.office365.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://res.cdn.office.net
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://settings.outlook.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://staging.cortana.ai
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://substrate.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://tasks.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://wus2.contentsync.
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winMSG@3/12@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240426T1025170146-6728.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Urgent Quotation.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FCCC2CBB-B9FA-48B5-81AF-A11DD4271E5B" "5B0A904E-96E0-4E3A-8F5F-1A19C090AC5A" "6728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FCCC2CBB-B9FA-48B5-81AF-A11DD4271E5B" "5B0A904E-96E0-4E3A-8F5F-1A19C090AC5A" "6728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1432035 Sample: Urgent Quotation.msg Startdate: 26/04/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 47 105 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://otelrules.svc.static.microsoft0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://wus2.contentsync.0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://d.docs.live.net0%Avira URL Cloudsafe
https://d.docs.live.net0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
    		high
    https://login.microsoftonline.com/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
      		high
      https://shell.suite.office.com:14434D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
        		high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
          		high
          https://autodiscover-s.outlook.com/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
            		high
            https://useraudit.o365auditrealtimeingestion.manage.office.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
              		high
              https://outlook.office365.com/connectors4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                		high
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                  		high
                  https://cdn.entity.4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://api.addins.omex.office.net/appinfo/query4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                    		high
                    https://clients.config.office.net/user/v1.0/tenantassociationkey4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                      		high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                        		high
                        https://powerlift.acompli.net4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://lookup.onenote.com/lookup/geolocation/v14D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                          		high
                          https://cortana.ai4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                            		high
                            https://api.powerbi.com/v1.0/myorg/imports4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                              		high
                              https://cloudfiles.onenote.com/upload.aspx4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                		high
                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                  		high
                                  https://entitlement.diagnosticssdf.office.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                    		high
                                    https://api.aadrm.com/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://ic3.teams.office.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                      		high
                                      https://www.yammer.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                        		high
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                          		high
                                          https://api.microsoftstream.com/api/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                            		high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                              		high
                                              https://cr.office.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                		high
                                                https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://messagebroker.mobile.m365.svc.cloud.microsoft4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://otelrules.svc.static.microsoft4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://portal.office.com/account/?ref=ClientMeControl4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                  		high
                                                  https://clients.config.office.net/c2r/v1.0/DeltaAdvisory4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                    		high
                                                    https://edge.skype.com/registrar/prod4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                      		high
                                                      https://graph.ppe.windows.net4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                        		high
                                                        https://res.getmicrosoftkey.com/api/redemptionevents4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://powerlift-frontdesk.acompli.net4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://tasks.office.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                          		high
                                                          https://officeci.azurewebsites.net/api/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://sr.outlook.office.net/ws/speech/recognize/assistant/work4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                            		high
                                                            https://api.scheduler.4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://my.microsoftpersonalcontent.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://store.office.cn/addinstemplate4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://api.aadrm.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://edge.skype.com/rps4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                              		high
                                                              https://outlook.office.com/autosuggest/api/v1/init?cvid=4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                		high
                                                                https://globaldisco.crm.dynamics.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                  		high
                                                                  https://messaging.engagement.office.com/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                    		high
                                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                      		high
                                                                      https://dev0-api.acompli.net/autodetect4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.odwebp.svc.ms4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://api.diagnosticssdf.office.com/v2/feedback4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                        		high
                                                                        https://api.powerbi.com/v1.0/myorg/groups4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                          		high
                                                                          https://web.microsoftstream.com/video/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                            		high
                                                                            https://api.addins.store.officeppe.com/addinstemplate4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://graph.windows.net4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                              		high
                                                                              https://dataservice.o365filtering.com/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://officesetup.getmicrosoftkey.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://analysis.windows.net/powerbi/api4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                		high
                                                                                https://prod-global-autodetect.acompli.net/autodetect4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://substrate.office.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                  		high
                                                                                  https://outlook.office365.com/autodiscover/autodiscover.json4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                    		high
                                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                      		high
                                                                                      https://consent.config.office.com/consentcheckin/v1.0/consents4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                        		high
                                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                          		high
                                                                                          https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                            		high
                                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                              		high
                                                                                              https://d.docs.live.net4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                              • 0%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://safelinks.protection.outlook.com/api/GetPolicy4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                		high
                                                                                                https://ncus.contentsync.4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                  		high
                                                                                                  https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                    		high
                                                                                                    http://weather.service.msn.com/data.aspx4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                      		high
                                                                                                      https://apis.live.net/v5.0/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://officepyservice.office.net/service.functionality4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                        		high
                                                                                                        https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                          		high
                                                                                                          https://templatesmetadata.office.net/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                            		high
                                                                                                            https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                              		high
                                                                                                              https://messaging.lifecycle.office.com/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                		high
                                                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                  		high
                                                                                                                  https://pushchannel.1drv.ms4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                    		high
                                                                                                                    https://management.azure.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                      		high
                                                                                                                      https://outlook.office365.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                        		high
                                                                                                                        https://wus2.contentsync.4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://incidents.diagnostics.office.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                          		high
                                                                                                                          https://clients.config.office.net/user/v1.0/ios4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                            		high
                                                                                                                            https://make.powerautomate.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://api.addins.omex.office.net/api/addins/search4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                              		high
                                                                                                                              https://insertmedia.bing.office.net/odc/insertmedia4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                		high
                                                                                                                                https://outlook.office365.com/api/v1.0/me/Activities4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://api.office.net4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://incidents.diagnosticssdf.office.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://asgsmsproxyapi.azurewebsites.net/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://clients.config.office.net/user/v1.0/android/policies4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://entitlement.diagnostics.office.com4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://substrate.office.com/search/api/v2/init4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://outlook.office.com/4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://storage.live.com/clientlogs/uploadlocation4D4B3899-B0AF-4FBD-8C08-11C036A65037.0.drfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  No contacted IP infos

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                  Analysis ID:1432035
                                                                                                                                                  Start date and time:2024-04-26 10:24:22 +02:00
                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 4m 16s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                  Number of analysed new started processes analysed:5
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Sample name:Urgent Quotation.msg
                                                                                                                                                  Detection:CLEAN
                                                                                                                                                  Classification:clean1.winMSG@3/12@0/0
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .msg

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.109.20.38, 52.113.194.132, 20.42.73.24
                                                                                                                                                  • Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, scus-azsc-config.officeapps.live.com, onedscolprdeus03.eastus.cloudapp.azure.com, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, mobile.events.data.trafficmanager.net
                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  No simulations

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASNs

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):231348
                                                                                                                                                  Entropy (8bit):4.379827198794182
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3072:BmgVkTgkmiGu2qqoQwrt0Fv8z22KAtNOcGYaFdKbDJ:BUlmi2XnAtNOcGYaFdKb1
                                                                                                                                                  MD5:448B980C9BD23221F4575039FD549C55
                                                                                                                                                  SHA1:6271AA9C0A3074924F294833E72BCB141490BBAB
                                                                                                                                                  SHA-256:B21C3BCDE3D237B72FA25987FBE751F2728D42026F1B8B761DFF4FE96D36BC29
                                                                                                                                                  SHA-512:B62AEB2E6C92A6EEAD0164670C51D410DCCF8ED3F71E1FB1B9D0BEE2E98EC9E1E2493E08CEC27B5DF8B66285BD989810AB62C23C201D970958AFF121C4282066
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:TH02...... .0.p;........SM01X...,...P%d;............IPM.Activity...........h...............h............H..hl.o......wH....h...........H..h\eng ...r\Ap...h.r..0....o....h.q.............h........_`+j...h.p..@...I.6w...h....H...8.0j...0....T...............d.........2h...............k..5.......;...!h.............. h..3.....o...#h....8.........$h.......8....."h`N......@P....'h..?...........1h.q..<.........0h....4....0j../h....h.....0jH..hH...p...l.o...-h .........o...+h.n......`.o................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1869
                                                                                                                                                  Entropy (8bit):5.08466831846941
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:cG3/OdnzyrdyrB4nzyeiSy30Jdyrh3nzytRdy+GkSyrf1nzybIdywYASyQEdSyO:Od2rEu2BbOE92zEebJ2sE7AbHdbO
                                                                                                                                                  MD5:9181F1FE29CA7E05571ECB3B6EDC1DCA
                                                                                                                                                  SHA1:41F4B90B195F02BAC4F3E204C9DEB84BF0B82339
                                                                                                                                                  SHA-256:39F14A12E57A46385133B01A01690204DA57D46FD4B1F7532126414544A4A2F0
                                                                                                                                                  SHA-512:20642D29F33D68BA56C02F8440C2C3AC627EC08A8E750F9072F797C45F28C01B297C6F1C526D3ADD05FD7A91E57DE5F6598E9733CF6D589A88EA15A448621FB9
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-05T06:31:08Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_26215680</Id><LAT>2024-04-26T08:25:18Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-05T06:31:08Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-05T06:31:08Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos_26215682</Id><LAT>2023-10-05T06:31:08Z</LAT><key>31169036496.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2023-10-05T06:31:08Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Apto

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4D4B3899-B0AF-4FBD-8C08-11C036A65037

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):166208
                                                                                                                                                  Entropy (8bit):5.340933816546265
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:Z+C7FPgOsB3U9guwwJQ9DQA+zqzhQik4F77nXmvYd8XRTEwreOR6Y:AIQ9DQA+zqzMXeMT
                                                                                                                                                  MD5:24A58EE816CA0D21143CD17DB9B9430C
                                                                                                                                                  SHA1:1C2B85FF1539641A3E12E1D0EA0C3EFC4EE244C3
                                                                                                                                                  SHA-256:5AF0C1BD6A3E7F1B2292A4FC50CF3F475D6ABA712501730A0F9784A6C19C0AD4
                                                                                                                                                  SHA-512:3FD2F450024C8EB51988923357EBECC26076B707924B7E72514B04D9C566AFB7C7FDE7A126FFADB2C75FBE7BB5E173FF4CB8B87ACE0361E7F0673827EAF394C2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-04-26T08:25:19">.. Build: 16.0.17619.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):32768
                                                                                                                                                  Entropy (8bit):0.045788677213747804
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:GtKbPxcjtY/tKbPxcj3/9X01PH4l942wU:dPOxYUPOZ0G3L
                                                                                                                                                  MD5:331B643BCFFEC131C9187D8DD5852F3D
                                                                                                                                                  SHA1:EA43120162674DC96298AFFDDA06B7F80E31012D
                                                                                                                                                  SHA-256:57B92647A35AABBAD2811540C21C3C5ADDA5B1E7176F179E51706E219E1DF3C2
                                                                                                                                                  SHA-512:2530C85A787C699EEF56197D3727D895EA559F6A78A6158595BD54877FBCF97CC81A2F08B39AF873E2D5011E01C25D2578E862E4A97FC18261D255F026B5954B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:..-......................I.'..+..E3U.,.JG.I.Fz..-......................I.'..+..E3U.,.JG.I.Fz........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):49472
                                                                                                                                                  Entropy (8bit):0.4826926197184203
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:HdlvQ1+Ull7DYM+AzO8VFDYMbVayBO8VFDYML:Hczll4xIjVGWJjVGC
                                                                                                                                                  MD5:D8F3475B625929AAEB17B6A37AD479ED
                                                                                                                                                  SHA1:F234128AC55A5D57F5EC5F27EA0F5AE6562AA65D
                                                                                                                                                  SHA-256:6E524E12F33F15FCA4E2AFDE6D0462DD815F326F999229101E4C161910885C71
                                                                                                                                                  SHA-512:00717E8FEF390169723A58ABA7A1D8BE0E79B9F2C76832C14BC96E4A94876602E1E11F0A79C4F80D2AF8B8610BBB546185AA20EF229C114D52D82824CA085053
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:7....-............E3U.,..,..@............E3U.,.3*..?.wSQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1714119917362826500_56D63158-E942-4C14-AC00-0D0EAE25CB6C.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:ASCII text, with very long lines (28751), with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):20971520
                                                                                                                                                  Entropy (8bit):0.15991968669557083
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:3ZjIiYYpTGWjoPhpnCDgWVecTNVnmB41I0jQgNBw5YiXEvfBZ:jYkXjopqLCHCj
                                                                                                                                                  MD5:D0E20852E86F0E732168B757DA0A54DE
                                                                                                                                                  SHA1:CA7BBD117F944760D4E94D9002B993F8E2DCA3E2
                                                                                                                                                  SHA-256:AD70D203807FAF4842ADABDDCD7FA2DF4814201DE2FFAF4D61A065F6F09A89B0
                                                                                                                                                  SHA-512:C7F55685E2D1BD322BDEAD1932237C13A8CBB698662F041903BB22C26FD54D68CC0D649C08F4D52E96E483FC162930A7D9B55758FF0F52856E4FD91B8577E026
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..04/26/2024 08:25:17.396.OUTLOOK (0x1A48).0x8D8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-04-26T08:25:17.396Z","Contract":"Office.System.Activity","Activity.CV":"WDHWVkLpFEysAA0OriXLbA.4.9","Activity.Duration":14,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...04/26/2024 08:25:17.412.OUTLOOK (0x1A48).0x8D8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-04-26T08:25:17.412Z","Contract":"Office.System.Activity","Activity.CV":"WDHWVkLpFEysAA0OriXLbA.4.10","Activity.Duration":9859,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVers

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1714119917363120700_56D63158-E942-4C14-AC00-0D0EAE25CB6C.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):20971520
                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3::
                                                                                                                                                  MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                  SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                  SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                  SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240426T1025170146-6728.etl

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):94208
                                                                                                                                                  Entropy (8bit):4.460597811687092
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:VZfx5r2cAP+vHMjMR8eI4jh96mg87JOy+XUmRywC2B5WuWYWAW7:3/+4jh96mg8dOZXT3Cd
                                                                                                                                                  MD5:7DA0EC311A625E7B013C82A54D3C594D
                                                                                                                                                  SHA1:F31B1E52B4AD87534C81B7DF2CEE799354CA98F6
                                                                                                                                                  SHA-256:1758FACA8D96D3A6CD0B1CD392EBB3EC35420B3D556BC7E457A416DB78FBACA1
                                                                                                                                                  SHA-512:1137B25F341288F66E196DA782C9612277F0F652FBE62446868D82C783AB0A3AD5CB5AE3984E95F47B2DC589B8429D66D0624DEE8BABF0AA3584CF73DCAB3529
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:............................................................................h.......H...02.D....................eJ..............Zb..2.......................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1...........................................................0 81K...........02.D............v.2._.O.U.T.L.O.O.K.:.1.a.4.8.:.d.9.7.c.4.8.2.3.3.b.7.a.4.1.0.7.b.7.3.8.2.9.c.b.b.8.4.0.5.1.8.e...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.4.2.6.T.1.0.2.5.1.7.0.1.4.6.-.6.7.2.8...e.t.l.......P.P.....H...02.D....................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\~DF14FF7CC25C1ACA83.TMP

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):163840
                                                                                                                                                  Entropy (8bit):0.3673729741523488
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:yzQ89A+ok6fQQDqdsK8+k8qVBt2qJerNS4eM4NgiXHWwOoqAbAFAqwNh/:a9Am6QQDC8+kboGers4eMniXHuoqMu
                                                                                                                                                  MD5:31E078C0998B0958A7F8E6B629EDF595
                                                                                                                                                  SHA1:836FF6559EE3B9FCFF73E3972400FBF4D66F20E6
                                                                                                                                                  SHA-256:37AEC7FBB04330BCB88B3B90594D6C45248C9B7B2B716A85CF4F2D27C8BCF3F7
                                                                                                                                                  SHA-512:D50F25E596048342E45353259760FFFF8E68DE088F25BE999FED657405C49B67E2D1FC25235A4D645BA903B39518163A53B3C4866D30E380B1CD74AAECDED6AC
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):30
                                                                                                                                                  Entropy (8bit):1.2389205950315936
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:uqSJt:uJ
                                                                                                                                                  MD5:B0814514EEAD8EDF0F8EC54F6B1A3EE7
                                                                                                                                                  SHA1:E445C3E0FD6CB984FFFE603C1797EF7529218E61
                                                                                                                                                  SHA-256:345F2924F0CB1A8DB209C55D1AF68F6728D0D902CE2BF5D3962407536CFD2B5C
                                                                                                                                                  SHA-512:40C2228A3500C53D2176447CB425F0002524A2A9E37B66603DB206F2CBEDC137FB01055204B95AC0B58F3762F1C1421E8B69761F3BDA4783CCBCBAE81DB3949F
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:....YO........................

                                                                                                                                                  C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:Microsoft Outlook email folder (>=2003)
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):271360
                                                                                                                                                  Entropy (8bit):1.331279660228555
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:JDpIQcIN8J2efanVGkxTJQiwIXLvITQB+GQlVyHi/m1Bfk8BUTIZ:Tzefan4+BITtlqierfkeNZ
                                                                                                                                                  MD5:526A41C327026701BF6D96085CB097CE
                                                                                                                                                  SHA1:3BFE69C9C07AFFCF86756FA31C4F615949ADE484
                                                                                                                                                  SHA-256:54B064D26DC732D584DD2D853FFB0DB599FC8F9702FEA1DC9194B44840883179
                                                                                                                                                  SHA-512:318E9B49A67214CB20DBA9E601B7EFF1E14DB312C6E7357FAEB11A9C0598FAD91C2FF993A1A5190756A63FABE3174A78682FAD7E921DA77DA7D269E7E70BE767
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:!BDNx...SM......\...FM..........E.......V................@...........@...@...................................@...........................................................................$.......D......@P..............A...............D...................................................................................................................................................................................................................................................................................................5O..2qR.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):131072
                                                                                                                                                  Entropy (8bit):1.2145293768299166
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:hXOM4tFdTHLmCkeGN4FslSkiCPIKURWaZG0yO4rxWLV57g47T1RHJr:cd2sGqJkiCQ/GBfoV50U
                                                                                                                                                  MD5:D1BCDB63ACC368BCACB58C49685B8050
                                                                                                                                                  SHA1:A16BFDC434DC76F8B9A7E7D5714F37DEA57C4211
                                                                                                                                                  SHA-256:81C4D8EDCF8C4E04F1AEAF38C3C9465AA8CB6F1034E757D59E2CAC7E403D2372
                                                                                                                                                  SHA-512:4F119E48663E2365EF7F2A01DD5CC67CF8E3F92910A5B2B5465CE7C5FEB23DD8D1E1C3F0D488960CF52BF2258FEE845AE439E134DBF928B42A110C6BBEADEA08
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:/.?.0...a.......H....F.D.........D............#...........?...............................................................?.........................................................................................................................................................................................................................................................................................................................................................................................................................................r....D........e.0...b.......H....F.D.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:CDFV2 Microsoft Outlook Message
                                                                                                                                                  Entropy (8bit):3.5641602431805155
                                                                                                                                                  TrID:
                                                                                                                                                  • Outlook Message (71009/1) 58.92%
                                                                                                                                                  • Outlook Form Template (41509/1) 34.44%
                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                                                                                                                                                  File name:Urgent Quotation.msg
                                                                                                                                                  File size:41'984 bytes
                                                                                                                                                  MD5:71a6520ba2e67cb74200511b576aed68
                                                                                                                                                  SHA1:e458766390bfc7513ba9c1122224d39e7b35675a
                                                                                                                                                  SHA256:09193d00a915fb11dba8423034dc53e95aa426205600fcbbc84550f844eaa34f
                                                                                                                                                  SHA512:ed3da2281dcfec465251342ff4839a8eb7b55936ea0b329ebb60652611f4e7a77711c32f082b2ae48b1d8aaf9b9d76de205850d05d93d45d38502cdbe9fd7c00
                                                                                                                                                  SSDEEP:768:714eMtgsK9kK/+g+fOX5WzK4jysKVHsKFV4L+NtKwnq:N12gWOXjtHdV4Li
                                                                                                                                                  TLSH:B813802535FA4609F277DF325EE2909389377D91ED30C64F3195334E0AB2981A9B1B2B
                                                                                                                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                  Static Mail

                                                                                                                                                  General

                                                                                                                                                  Subject:Urgent Quotation
                                                                                                                                                  From:Danielle Davies <daviesdanielle.dd2@gmail.com>
                                                                                                                                                  To:
                                                                                                                                                  Cc:victormaks34@gmail.com
                                                                                                                                                  BCC:victormaks34@gmail.com
                                                                                                                                                  Date:Thu, 25 Apr 2024 16:27:11 +0200
                                                                                                                                                  Communications:
                                                                                                                                                  • Good Day, Please find the attached Quotation for your attention. Warm Regards.
                                                                                                                                                  Attachments:

                                                                                                                                                    Headers

                                                                                                                                                    Key Value
                                                                                                                                                    Receivedby mail-yw1-x112a.google.com with SMTP id 00721157ae682-6153d85053aso9345597b3.0
                                                                                                                                                    15.1.2507.37 via Mailbox Transport; Thu, 25 Apr 2024 1627:33 +0200
                                                                                                                                                    15.1.2507.37; Thu, 25 Apr 2024 1627:33 +0200
                                                                                                                                                    15.1.2507.37 via Frontend Transport; Thu, 25 Apr 2024 1627:33 +0200
                                                                                                                                                    by mx278.antispamcloud.com with esmtps (TLSv1.3TLS_AES_256_GCM_SHA384:256)
                                                                                                                                                    for reception3@hatmed.co.za; Thu, 25 Apr 2024 1627:31 +0200
                                                                                                                                                    for <reception3@hatmed.co.za>; Thu, 25 Apr 2024 0727:24 -0700 (PDT)
                                                                                                                                                    DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed;
                                                                                                                                                    h=ccsubject:message-id:date:from:mime-version:x-gm-message-state
                                                                                                                                                    from:to:cc:subject:date:message-id:reply-to;
                                                                                                                                                    X-Google-DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed;
                                                                                                                                                    X-Forwarded-Encryptedi=1; AJvYcCXZcjQMukuf3Q2WuFHPvXTptkW1AQtDcrMwVfaFFbn/O4+Q7KPSoygSWKCXCf4yN6lQqxREtagx1sMh344/vkkgAmn2dN+YkQ==
                                                                                                                                                    X-Gm-Message-StateAOJu0YzzTexvOeijVgvrcbozJ5bLerQxdNMVVX69IFROI+Pf+xUhfaKP
                                                                                                                                                    X-Receivedby 2002:a05:690c:358a:b0:615:3858:d154 with SMTP id
                                                                                                                                                    Apr 2024 0727:22 -0700 (PDT)
                                                                                                                                                    MIME-Version1.0
                                                                                                                                                    FromDanielle Davies <daviesdanielle.dd2@gmail.com>
                                                                                                                                                    DateThu, 25 Apr 2024 16:27:11 +0200
                                                                                                                                                    Message-ID<CALS=D47fet42OMWFYjqXexBoRpCLthY4vSJNNrZ2_TkWe2WF1A@mail.gmail.com>
                                                                                                                                                    SubjectUrgent Quotation
                                                                                                                                                    Ccvictormaks34@gmail.com
                                                                                                                                                    Content-Typemultipart/alternative; boundary="000000000000db35cc0616ec959d"
                                                                                                                                                    BCC<reception3@hatmed.co.za>
                                                                                                                                                    Received-SPFpass (mx278.antispamcloud.com: domain of gmail.com designates 2607:f8b0:4864:20::112a as permitted sender) client-ip=2607:f8b0:4864:20::112a; envelope-from=daviesdanielle.dd2@gmail.com; helo=mail-yw1-x112a.google.com;
                                                                                                                                                    X-SPF-Resultmx278.antispamcloud.com: domain of gmail.com designates 2607:f8b0:4864:20::112a as permitted sender
                                                                                                                                                    Authentication-Resultsantispamcloud.com; spf=pass smtp.mailfrom=daviesdanielle.dd2@gmail.com; dkim=pass header.i=gmail.com
                                                                                                                                                    iprev=pass (mail-yw1-x112a.google.com) smtp.remote-ip=2607f8b0:4864:20::112a;
                                                                                                                                                    X-Spampanel-Classunsure
                                                                                                                                                    X-Spampanel-EvidenceCombined (0.73)
                                                                                                                                                    X-Recommended-Actionaccept
                                                                                                                                                    X-Filter-ID8G1aH+8yearZuN6N5+X5bm6KuAmzEgFjeXz34jnHp0xpHcZnhuUC426bxlmA3OLPw+I9pcC/OktB
                                                                                                                                                    X-Report-Abuse-Tospam@quarantine14.antispamcloud.com
                                                                                                                                                    Return-Pathdaviesdanielle.dd2@gmail.com
                                                                                                                                                    X-MS-Exchange-Organization-Network-Message-Id5d488299-aca7-450d-27de-08dc6533d8e7
                                                                                                                                                    X-MS-Exchange-Organization-AVStamp-Enterprise1.0
                                                                                                                                                    X-C2ProcessedOrgb871e11f-2424-4379-a75e-a1a8bfbe8592
                                                                                                                                                    X-MS-Exchange-Organization-AuthSourceDCEXCCAS02.cloudcontrl.com
                                                                                                                                                    X-MS-Exchange-Organization-AuthAsAnonymous
                                                                                                                                                    X-MS-Exchange-Transport-EndToEndLatency00:00:00.2804083
                                                                                                                                                    X-MS-Exchange-Processed-By-BccFoldering15.01.2507.037
                                                                                                                                                    dateThu, 25 Apr 2024 16:27:11 +0200

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:c4e1928eacb280a2

                                                                                                                                                    Network Behavior

                                                                                                                                                    No network behavior found

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:10:25:17
                                                                                                                                                    Start date:26/04/2024
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Urgent Quotation.msg"
                                                                                                                                                    Imagebase:0xca0000
                                                                                                                                                    File size:34'446'744 bytes
                                                                                                                                                    MD5 hash:91A5292942864110ED734005B7E005C0
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:2
                                                                                                                                                    Start time:10:25:18
                                                                                                                                                    Start date:26/04/2024
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FCCC2CBB-B9FA-48B5-81AF-A11DD4271E5B" "5B0A904E-96E0-4E3A-8F5F-1A19C090AC5A" "6728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                                                                                                                                    Imagebase:0x7ff7f9490000
                                                                                                                                                    File size:710'048 bytes
                                                                                                                                                    MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:false

                                                                                                                                                    Disassembly

                                                                                                                                                    No disassembly