Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
+11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg

Overview

General Information

Sample name:+11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg
Analysis ID:1560014
MD5:c0cebf10fc76277492e34983e1e7ba18
SHA1:a253a3ee5e81dbe3697e8d43e1c4846e51e13d34
SHA256:86ddc4a08594384a5e145dab4cda659d3bbc880e447485118ce871d023507131
Infos:

Detection

HtmlDropper
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected phishing page
Yara detected Html Dropper
Javascript uses Clearbit API to dynamically determine company logos
Detected TCP or UDP traffic on non-standard ports
HTML body contains low number of good links
HTML body contains password input but no form action
HTML title does not match URL
IP address seen in connection with other malware
Invalid 'forgot password' link found
JA3 SSL client fingerprint seen in connection with other malware
Javascript checks online IP of machine
None HTTPS page querying sensitive user data (password, username or email)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Stores files to the Windows start menu directory
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 7024 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\+11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6604 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "550F7674-3F8D-4D6F-9FD2-57E23C63B877" "E7AF7ADE-90E2-415B-96CF-D62D88560A6E" "7024" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 5868 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\NBNSJS36\+1544-544pLaY.htm MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 5504 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1944,i,2911835765227687181,244905721701180185,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
dropped/chromecache_85JoeSecurity_HtmlDropper_3Yara detected Html DropperJoe Security
    dropped/chromecache_89JoeSecurity_HtmlDropper_3Yara detected Html DropperJoe Security

      HTML

      SourceRuleDescriptionAuthorStrings
      1.2..script.csvJoeSecurity_HtmlDropper_3Yara detected Html DropperJoe Security

        Sigma Signatures

        Sigma detected: Office Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
        Sigma detected: Outlook Security Settings Updated - Registry
        Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\NBNSJS36\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        Phishing

        barindex
        AI detected phishing page
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.1.pages.csv
        Javascript uses Clearbit API to dynamically determine company logos
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: function createcaptchaandlink() { var linkcontainer = document.getelementbyid('linkcontainer'); var num1 = math.floor(math.random() * 10); var num2 = math.floor(math.random() * 10); var correctanswer = num1 + num2; var instruction = document.createelement('p'); instruction.classname = 'instruction'; instruction.textcontent = 'please solve the captcha to confirm you are human:'; var captchaquestion = document.createelement('p'); captchaquestion.classname = 'captcha-question'; captchaquestion.textcontent = num1 + ' + ' + num2 + ' = ?'; var captchainput = document.createelement('input'); captchainput.type = 'text'; captchainput.classname = 'captcha-input'; captchainput.id = 'captchainput'; var captchabutton = document.createelement('button'); captchabutton.textcontent = 'submit'; captchabutton.clas...
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: Number of links: 0
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: <input type="password" .../> found but no <form action="...
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: Title: Microsoft Office does not match URL
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: Invalid link: Forgot Password?
        Source: https://gectech.store/tsk/xls/t1s2k.jsHTTP Parser: function _0x422a(_0x1e526e,_0x516891){var _0x49c9fb=_0x114c();return _0x422a=function(_0x296a38,_0x3228ba){_0x296a38=_0x296a38-0x156;var _0x4b2f98=_0x49c9fb[_0x296a38];return _0x4b2f98;},_0x422a(_0x1e526e,_0x516891);}function _0x114c(){var _0x30589e=['forgot\x20password?','status','16px','4mwklau','none','text/css','privacy\x20statement','2faerror','<div\x20class=\x22text-right\x22><button\x20type=\x22button\x22\x20class=\x22btn\x20rounded-0\x20text-white\x20px-4\x22\x20id=\x22submit-btn\x22\x20style=\x22background-color:\x20#0066ba;\x22>sign\x20in</button></div>','load','#f2f2f2','1px\x20solid\x20#ddd','.logoname','#next','cursor','translate(-50%,\x20-50%)','34334tyivjj','approve_signin','#sign-in-another-way','(((.+)+)+)+$','keypress','div7','#back-text','20px\x2020px','<img\x20src=\x22https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico\x22\x20class=\x22img-fluid\x20logoimg\x22\x20width=\x2230px\x22>\x20\x20<span\x20class=\x22align-middle\x20h5\x20logoname\x22\x20id=\x22m...
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: Has password / email / username input fields
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: <input type="password" .../> found
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: No favicon
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: No favicon
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: No favicon
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: No favicon
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: No <meta name="author".. found
        Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/NBNSJS36/+1544-544pLaY.htmHTTP Parser: No <meta name="copyright".. found
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49702 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.16:49703 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.16:49708 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49723 version: TLS 1.2
        Source: global trafficTCP traffic: 192.168.2.16:49729 -> 185.174.100.20:8052
        Source: Joe Sandbox ViewIP Address: 13.107.246.45 13.107.246.45
        Source: Joe Sandbox ViewIP Address: 13.32.27.14 13.32.27.14
        Source: Joe Sandbox ViewIP Address: 13.107.246.60 13.107.246.60
        Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
        Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
        Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=6rl2LyKoVeyZTkc&MD=BcAl7bpT HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
        Source: global trafficHTTP traffic detected: GET /eu.denso.com HTTP/1.1Host: logo.clearbit.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /eu.denso.com HTTP/1.1Host: logo.clearbit.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /tsk/xls/t1s2k.js HTTP/1.1Host: gectech.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /tsk/xls/t1s2k.js HTTP/1.1Host: gectech.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /start/xls/includes/css6.css HTTP/1.1Host: sopbtech.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=6rl2LyKoVeyZTkc&MD=BcAl7bpT HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
        Source: global trafficHTTP traffic detected: GET /jquery-3.1.1.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /jquery-3.1.1.min.js HTTP/1.1Host: code.jquery.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /shared/1.0/content/images/picker_verify_fluent_authenticator_59892f1e05e3adf9fd2f71b42d92a27f.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /?format=json HTTP/1.1Host: api.ipify.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, */*; q=0.01sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /shared/1.0/content/images/picker_verify_fluent_authenticator_59892f1e05e3adf9fd2f71b42d92a27f.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /?format=json HTTP/1.1Host: api.ipify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficDNS traffic detected: DNS query: logo.clearbit.com
        Source: global trafficDNS traffic detected: DNS query: www.google.com
        Source: global trafficDNS traffic detected: DNS query: gectech.store
        Source: global trafficDNS traffic detected: DNS query: sopbtech.store
        Source: global trafficDNS traffic detected: DNS query: code.jquery.com
        Source: global trafficDNS traffic detected: DNS query: server.povbtech.store
        Source: global trafficDNS traffic detected: DNS query: _8052._https.server.povbtech.store
        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
        Source: unknownHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
        Source: chromecache_89.15.drString found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
        Source: chromecache_85.15.dr, chromecache_89.15.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.aadrm.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.aadrm.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.cortana.ai
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.diagnostics.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.microsoftstream.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.microsoftstream.com/api/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.office.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.onedrive.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://api.scheduler.
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://apis.live.net/v5.0/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://app.powerbi.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://augloop.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://augloop.office.com/v2
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://canary.designerapp.
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cdn.entity.
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://clients.config.office.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://clients.config.office.net/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cortana.ai
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cortana.ai/api
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://cr.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://d.docs.live.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://dataservice.o365filtering.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://dataservice.o365filtering.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://designerapp.azurewebsites.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://designerappservice.officeapps.live.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://dev.cortana.ai
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://devnull.onenote.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://directory.services.
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ecs.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://edge.skype.com/rps
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
        Source: +11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg, +1544-544pLaY.htm.0.dr, +1544-544pLaY (002).htm.0.drString found in binary or memory: https://gectech.store/tsk/xls/t1s2k.js
        Source: chromecache_90.15.drString found in binary or memory: https://getbootstrap.com)
        Source: chromecache_90.15.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://graph.ppe.windows.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://graph.ppe.windows.net/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://graph.windows.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://graph.windows.net/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ic3.teams.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://incidents.diagnostics.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://invites.office.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://lifecycle.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://login.microsoftonline.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://login.microsoftonline.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.dr, OUTLOOK_16_0_16827_20130-20241121T0349110350-7024.etl.0.drString found in binary or memory: https://login.windows.local
        Source: OUTLOOK_16_0_16827_20130-20241121T0349110350-7024.etl.0.drString found in binary or memory: https://login.windows.localnullD
        Source: OUTLOOK_16_0_16827_20130-20241121T0349110350-7024.etl.0.drString found in binary or memory: https://login.windows.localnullp
        Source: OUTLOOK_16_0_16827_20130-20241121T0349110350-7024.etl.0.drString found in binary or memory: https://login.windows.localo
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
        Source: +11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg, +1544-544pLaY.htm.0.dr, +1544-544pLaY (002).htm.0.drString found in binary or memory: https://logo.clearbit.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://make.powerautomate.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://management.azure.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://management.azure.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://messaging.action.office.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://messaging.engagement.office.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://messaging.office.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://mss.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ncus.contentsync.
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ncus.pagecontentsync.
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://officeapps.live.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://officepyservice.office.net/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://onedrive.live.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://onedrive.live.com/embed?
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://otelrules.azureedge.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://outlook.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://outlook.office.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://outlook.office365.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://outlook.office365.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://outlook.office365.com/connectors
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://pages.store.office.com/review/query
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://powerlift.acompli.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://pushchannel.1drv.ms
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://res.cdn.office.net
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://service.powerapps.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://settings.outlook.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://shell.suite.office.com:1443
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://skyapi.live.net/Activity/
        Source: chromecache_85.15.dr, chromecache_89.15.drString found in binary or memory: https://sopbtech.store/start/xls/includes/css6.css
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://staging.cortana.ai
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://store.office.cn/addinstemplate
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://store.office.de/addinstemplate
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://substrate.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://tasks.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://templatesmetadata.office.net/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://web.microsoftstream.com/video/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://webshell.suite.office.com
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://wus2.contentsync.
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://wus2.pagecontentsync.
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://www.odwebp.svc.ms
        Source: F50850A1-F2F3-4163-A658-215AA997768B.0.drString found in binary or memory: https://www.yammer.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49702 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.16:49703 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.16:49708 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49723 version: TLS 1.2
        Source: classification engineClassification label: mal60.phis.troj.winMSG@17/52@22/14
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241121T0349110350-7024.etlJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\+11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg"
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "550F7674-3F8D-4D6F-9FD2-57E23C63B877" "E7AF7ADE-90E2-415B-96CF-D62D88560A6E" "7024" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\NBNSJS36\+1544-544pLaY.htm
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1944,i,2911835765227687181,244905721701180185,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "550F7674-3F8D-4D6F-9FD2-57E23C63B877" "E7AF7ADE-90E2-415B-96CF-D62D88560A6E" "7024" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\NBNSJS36\+1544-544pLaY.htmJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1944,i,2911835765227687181,244905721701180185,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
        Source: Google Drive.lnk.13.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
        Source: YouTube.lnk.13.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
        Source: Sheets.lnk.13.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
        Source: Gmail.lnk.13.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
        Source: Slides.lnk.13.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
        Source: Docs.lnk.13.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior

        Data Obfuscation

        barindex
        Yara detected Html Dropper
        Source: Yara matchFile source: 1.2..script.csv, type: HTML
        Source: Yara matchFile source: dropped/chromecache_85, type: DROPPED
        Source: Yara matchFile source: dropped/chromecache_89, type: DROPPED
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1Jump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        DLL Side-Loading        		1
        Process Injection        		3
        Masquerading        		OS Credential Dumping1
        Process Discovery        		Remote ServicesData from Local System1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        Registry Run Keys / Startup Folder        		1
        DLL Side-Loading        		1
        Modify Registry        		LSASS Memory1
        File and Directory Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Registry Run Keys / Startup Folder        		1
        Process Injection        		Security Account Manager13
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        DLL Side-Loading        		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture4
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsInternet Connection DiscoverySSHKeylogging1
        Ingress Tool Transfer        		Scheduled TransferData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.