Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nested-a.manasova@mlsp.kg.eml

Overview

General Information

Sample Name:nested-a.manasova@mlsp.kg.eml
Analysis ID:882696
MD5:4a7e15c9c669418b6397e95d1f15335b
SHA1:0bd5e0e1e025b5e9e1d97fc2975695d7604195aa
SHA256:648c7defd331df51001dee4b874a404d67ebc8ca8f21775f27e0581405e061cd

Detection

Score:21
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

LLM found phishing text in email (MSG / EML)
Creates or modifies windows services
Deletes files inside the Windows folder
Creates files inside the system directory

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7280 cmdline: C:\PROGRA~2\MICROS~1\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-a.manasova@mlsp.kg.eml MD5: 7DD935BA9B57D9D7EFF63C67653E70B5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
LLM found phishing text in email (MSG / EML)
Source: nested-a.manasova@mlsp.kg.emlChatGPT: Communication: 0 reasoning: Subject contains [EXT]NOTIFICATION which is unusual
Source: nested-a.manasova@mlsp.kg.emlChatGPT: Communication: 0 reasoning: Sender's email address is from an unrelated domain
Source: nested-a.manasova@mlsp.kg.emlChatGPT: Communication: 0 reasoning: Email is sent to undisclosed recipients
Source: nested-a.manasova@mlsp.kg.emlChatGPT: Communication: 0 reasoning: Email contains a warning about originating from outside the organization
Source: nested-a.manasova@mlsp.kg.emlChatGPT: Communication: 0 reasoning: Message asks to verify account
Source: nested-a.manasova@mlsp.kg.emlChatGPT: Communication: 0 reasoning: Unusual URL for Zimbra login
Source: nested-a.manasova@mlsp.kg.emlChatGPT: Communication: 0 reasoning: Spelling and grammar errors in the email
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.aadrm.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.aadrm.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.cortana.ai
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.office.net
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.onedrive.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://api.scheduler.
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://augloop.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cdn.entity.
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://clients.config.office.net/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: nested-a.manasova@mlsp.kg.emlString found in binary or memory: https://comfirmationandverification.duartemobilerepair.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://config.edge.skype.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cortana.ai
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cortana.ai/api
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://cr.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://d.docs.live.net
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://dev.cortana.ai
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://devnull.onenote.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://directory.services.
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://graph.windows.net
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://graph.windows.net/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://invites.office.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://lifecycle.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://login.windows.local
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://make.powerautomate.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://management.azure.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://management.azure.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://messaging.office.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://ncus.contentsync.
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://officeapps.live.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://onedrive.live.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://outlook.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://outlook.office.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://outlook.office365.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://outlook.office365.com/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://settings.outlook.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://staging.cortana.ai
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://tasks.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://wus2.contentsync.
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drString found in binary or memory: https://www.yammer.com
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEFile deleted: C:\Windows\SysWOW64\PerfStringBackup.TMPJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEFile created: C:\Windows\inf\Outlook\Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\{C2D3A2CC-61E8-47C3-8A6A-A834755E14A3} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEFile written: C:\Windows\INF\Outlook\outlperf.iniJump to behavior
Source: classification engineClassification label: sus21.phis.winEML@1/11@0/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEFile read: C:\Program Files (x86)\Microsoft Office\Office16\1033\OUTLPERF.INIJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 13
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXERegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\PerformanceJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1
Windows Service		1
Windows Service		11
Masquerading		OS Credential Dumping2
File and Directory Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
File Deletion		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
Remote System Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://d.docs.live.net0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://login.windows.local0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://api.officescripts.microsoftusercontent.com/api0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
    		high
    https://login.microsoftonline.com/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
      		high
      https://shell.suite.office.com:14437C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
        		high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
          		high
          https://autodiscover-s.outlook.com/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
            		high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
              		high
              https://cdn.entity.7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
              • URL Reputation: safe
              		unknown
              https://api.addins.omex.office.net/appinfo/query7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                		high
                https://clients.config.office.net/user/v1.0/tenantassociationkey7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                  		high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                    		high
                    https://powerlift.acompli.net7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://lookup.onenote.com/lookup/geolocation/v17C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                      		high
                      https://cortana.ai7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                        		high
                        https://cloudfiles.onenote.com/upload.aspx7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                          		high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                            		high
                            https://entitlement.diagnosticssdf.office.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                              		high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                		high
                                https://api.aadrm.com/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.yammer.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                  		high
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                    		high
                                    https://api.microsoftstream.com/api/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                      		high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                        		high
                                        https://cr.office.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                          		high
                                          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          https://portal.office.com/account/?ref=ClientMeControl7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                            		high
                                            https://graph.ppe.windows.net7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                              		high
                                              https://res.getmicrosoftkey.com/api/redemptionevents7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://powerlift-frontdesk.acompli.net7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://tasks.office.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                		high
                                                https://officeci.azurewebsites.net/api/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                  		high
                                                  https://api.scheduler.7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://my.microsoftpersonalcontent.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://store.office.cn/addinstemplate7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://api.aadrm.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                    		high
                                                    https://globaldisco.crm.dynamics.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                      		high
                                                      https://messaging.engagement.office.com/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                        		high
                                                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                          		high
                                                          https://dev0-api.acompli.net/autodetect7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.odwebp.svc.ms7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://api.diagnosticssdf.office.com/v2/feedback7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                            		high
                                                            https://api.powerbi.com/v1.0/myorg/groups7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                              		high
                                                              https://web.microsoftstream.com/video/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                		high
                                                                https://api.addins.store.officeppe.com/addinstemplate7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://graph.windows.net7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                  		high
                                                                  https://dataservice.o365filtering.com/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://officesetup.getmicrosoftkey.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://analysis.windows.net/powerbi/api7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                    		high
                                                                    https://prod-global-autodetect.acompli.net/autodetect7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://outlook.office365.com/autodiscover/autodiscover.json7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                      		high
                                                                      https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                        		high
                                                                        https://consent.config.office.com/consentcheckin/v1.0/consents7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                          		high
                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                            		high
                                                                            https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                              		high
                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                		high
                                                                                https://d.docs.live.net7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://ncus.contentsync.7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                  		high
                                                                                  https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                    		high
                                                                                    http://weather.service.msn.com/data.aspx7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                      		high
                                                                                      https://apis.live.net/v5.0/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                        		high
                                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                          		high
                                                                                          https://messaging.lifecycle.office.com/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                            		high
                                                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                              		high
                                                                                              https://pushchannel.1drv.ms7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                		high
                                                                                                https://management.azure.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                  		high
                                                                                                  https://outlook.office365.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                    		high
                                                                                                    https://wus2.contentsync.7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://incidents.diagnostics.office.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                      		high
                                                                                                      https://clients.config.office.net/user/v1.0/ios7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                        		high
                                                                                                        https://make.powerautomate.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://insertmedia.bing.office.net/odc/insertmedia7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                          		high
                                                                                                          https://o365auditrealtimeingestion.manage.office.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                            		high
                                                                                                            https://outlook.office365.com/api/v1.0/me/Activities7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                              		high
                                                                                                              https://api.office.net7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                		high
                                                                                                                https://incidents.diagnosticssdf.office.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                  		high
                                                                                                                  https://asgsmsproxyapi.azurewebsites.net/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://clients.config.office.net/user/v1.0/android/policies7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                    		high
                                                                                                                    https://entitlement.diagnostics.office.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                      		high
                                                                                                                      https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                        		high
                                                                                                                        https://substrate.office.com/search/api/v2/init7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                          		high
                                                                                                                          https://outlook.office.com/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                            		high
                                                                                                                            https://storage.live.com/clientlogs/uploadlocation7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                              		high
                                                                                                                              https://login.windows.local7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://outlook.office365.com/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                		high
                                                                                                                                https://webshell.suite.office.com7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://substrate.office.com/search/api/v1/SearchHistory7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://management.azure.com/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://messaging.lifecycle.office.com/getcustommessage167C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://api.officescripts.microsoftusercontent.com/api7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://clients.config.office.net/c2r/v1.0/InteractiveInstallation7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://login.windows.net/common/oauth2/authorize7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://graph.windows.net/7C4856C6-FD49-4319-B677-3E70F8A1C4FB.0.drfalse
                                                                                                                                                		high

                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public IPs

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious

                                                                                                                                                Private

                                                                                                                                                IP
                                                                                                                                                192.168.2.1

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:37.1.0 Beryl
                                                                                                                                                Analysis ID:882696
                                                                                                                                                Start date and time:2023-06-06 17:11:15 +02:00
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 5m 7s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:full
                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Number of analysed new started processes analysed:5
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Sample file name:nested-a.manasova@mlsp.kg.eml
                                                                                                                                                Detection:SUS
                                                                                                                                                Classification:sus21.phis.winEML@1/11@0/1
                                                                                                                                                EGA Information:Failed
                                                                                                                                                HDC Information:Failed
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Found application associated with file extension: .eml

                                                                                                                                                Warnings

                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 52.109.76.141, 20.234.90.154, 20.126.106.131
                                                                                                                                                • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, officeclient.microsoft.com
                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                No simulations

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                No context

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASNs

                                                                                                                                                No context

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):231348
                                                                                                                                                Entropy (8bit):4.387220539959205
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:PYLdgsvLhmPgsxNcAz79ysQqt2ATqoQ9rcm0FvPy09PV/b9yH38uCu51:4dgEmPgWmiGu2EqoQ9rt0Fva01V/UXv1
                                                                                                                                                MD5:774D3E2CD564BE266505ABD2AD40DA81
                                                                                                                                                SHA1:B55246CB45B183C2CE1C1C85176E0FB6F19A9F11
                                                                                                                                                SHA-256:D67A09ADF86F2450076B2FFB9032A59DBA5C9EBB34ED76CDF49029DDABE1095C
                                                                                                                                                SHA-512:66F4105483B6899750756744298FEA6B3BDF7284E6817DCA42225087E277CBA418A00083A11A6E330B1853E1CA53C1836C1144E65F98CE7C00F43683F5F42873
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:TH02...... .............SM01X...,.................IPM.Activity...........h..\r...........h.........F.rH..h........9.....h^F.w..../GUrH..h.... ....VUr...h.OUr0..........h.\r.....^.i...h..w....=.....h....@..........h....H..........0....T...............d...x.....2h.|\r...........k_.D.....e.....!h.............. h........0.....#h..Ur8.........$h.......8....."h..............'h.U............1h....<.........0h...4........./hl...h....H.rH..h;.\rp.........-h..............+h.......=.................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7C4856C6-FD49-4319-B677-3E70F8A1C4FB

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):155808
                                                                                                                                                Entropy (8bit):5.351254020674061
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:n+C/FPgfHB7U9guw19Q9DQA+zQak4F77nXmvidlXRjE6LRz6y:CDQ9DQA+zTXWk
                                                                                                                                                MD5:B22C5C0FBDB571B015E0CA96C32019B7
                                                                                                                                                SHA1:E036D686701EA372901EEF464E91A18C5E5C9709
                                                                                                                                                SHA-256:98260638BBB725A514C6157BE750C883E0D01AFC1FD0EB2504168FDEF644FF51
                                                                                                                                                SHA-512:07F91FE29F699D94B35EA5DFE627D199399103A3F432503EC661A962E529A03BBAACC710700210837FA57E9E2D63599D9046B8785AD8304DC7790DF67BE9BBE0
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-06-06T15:12:17">.. Build: 16.0.16530.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{8A306F73-3404-4219-9BCB-A31A99B4B2C8}.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):1536
                                                                                                                                                Entropy (8bit):1.2028337455265752
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:DozS6MkpsjaIHRJQauSDSl4gR+amNQPAMMlytAsf9yR0QIE0Wxl2K2w8GKqX:8z5jsj9xaNSi3Yh3NxsW0QvaKR8VqX
                                                                                                                                                MD5:17BC2688909E06B5B22D521DF7FCEAA5
                                                                                                                                                SHA1:298036271A5D2E37AC35B6A7C7D73917330B5ADE
                                                                                                                                                SHA-256:536D0A9C6D50FC2E77CBABA610AEC939946F5AFF683E48A75B91CDC1B7F20032
                                                                                                                                                SHA-512:047AF3CA38BA6FF881B9153E8D23F71DEDF3694919E9ED107A6962D25DA4CB4B411D8CD0FF213EEA16E75CA40CD1FF73C6ECEF15AA0D1D95A442FAFDCCB1FF29
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:..C.A.U.T.I.O.N.:. .T.h.i.s. .e.m.a.i.l. .o.r.i.g.i.n.a.t.e.d. .f.r.o.m. .o.u.t.s.i.d.e. .o.f. .t.h.e. .o.r.g.a.n.i.z.a.t.i.o.n... .D.o. .n.o.t. .c.l.i.c.k. .l.i.n.k.s. .o.r. .o.p.e.n. .a.t.t.a.c.h.m.e.n.t.s. .u.n.l.e.s.s. .y.o.u. .r.e.c.o.g.n.i.z.e. .t.h.e. .s.e.n.d.e.r. .a.n.d. .k.n.o.w. .t.h.e. .c.o.n.t.e.n.t. .i.s. .s.a.f.e.!.............................................................................................................................................................................................N............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-D.

                                                                                                                                                C:\Users\user\Documents\Outlook Files\Outlook.pst

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:Microsoft Outlook email folder (>=2003)
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):271360
                                                                                                                                                Entropy (8bit):2.4148418619723575
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:7zqP4HFQ30dpX6DAO2NRSjNIyUbj+7ZGubpwk21aSwIbYyyGPHAwrRGPHAwrn:VdsuyyyubYy
                                                                                                                                                MD5:0B27C277FB1601554FEAE2C5469F6924
                                                                                                                                                SHA1:DA9863FB8EAE74B7B9608BF579802C23699080A5
                                                                                                                                                SHA-256:6B9E94434167BE42F20BE2C13AA6EF3F057F26F4D347C3445E11912000EFD0F4
                                                                                                                                                SHA-512:4E517AE737FF97A213B96AF4D886EB880E5F3613736F643175ACEE905B616D26983BFC84367D86D27DE52894D005FC8049503151FB19AB9A3DEC36457A8A183F
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:!BDN..(.SM......\...!...........l.......{................@...........@...@...................................@...........................................................................$.......D......................h........4......k....................................................................................................................................................................................................................................................................................................P..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):131072
                                                                                                                                                Entropy (8bit):1.5749733883273598
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:VH0wSSOgVXwnPHXHwwrbVHIwu1CPcgH8WgjwjOu2goc0OTNMmxcJb:B6SbGPHAwrJHDc6T8xfxOJMmQb
                                                                                                                                                MD5:2AC1AD1CF83F09FB9362F0FB835E78A8
                                                                                                                                                SHA1:FDFD9456F4ED9497A3042D58D08B443C136269CF
                                                                                                                                                SHA-256:17B30BE681EF175DF165B538E5C064E0E1DD7E09071BB4B24157356E603F2F17
                                                                                                                                                SHA-512:5499B28300B2CC68C469975B72EDCC9526BBBEB304CC2538200FCCE45A2B97B3CD18F25C5AD08418B4E03C5BEA21F006783D84F35589B38278E951C7C5DB3156
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:.v.i0...R.......p....)..........D............#.....................................?......................................................................~...........................................................................................?.............................................................................................................................................................................................................................................................................................................h.0.D......@...0...S.......p....)..........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Windows\INF\Outlook\outlperf.h

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):551
                                                                                                                                                Entropy (8bit):4.697154350883648
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:HevrLo2k2/VmkaYyaJ3VUxe4DaPaIdVXN+I1okaDHDaQay/C45jG2DpkZ:gLo2FVDaYNJ3Ko4DaygFN+oFabe1wCQE
                                                                                                                                                MD5:BC71FF7DA14ECA943FA0AD815F72B8CB
                                                                                                                                                SHA1:CECCD0CFF2DD12AEDE7DE14457D15D00687165BB
                                                                                                                                                SHA-256:48E537902C03A3EEE4790FC97EE072CDDC7C1A90122702DD18243D8C12A0D99A
                                                                                                                                                SHA-512:08CD022D34C1B9B080322C3CFA15CC22E3353D42BA55C729723378DC177E8A0E979C6644BC2F97B2E36CB5E864FA37FF05DA6DBA5794A39380E72182015AB324
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:#define OBJECTTYPE 0..#define RPCATTEMPTED 2..#define RPCSUCCEEDED 4..#define RPCFAILED 6..#define RPCCANCEL 8..#define RPCSHOWN 10..#define RPCFOREGROUND 12..#define RPCTIMEAVG 14..#define RPCTIMEAVG10 16..#define RPCTIMEAVG50 18..#define RPCTIMEAVG200 20..#define RPCTIMEMIN 22..#define RPCTIMEMAX 24..#define RPCCONNCOUNT 26..#define RPCSRVOBJCOUNT 28..#define CONTEXTHANDLECOUNTAD 30..#define BINDINGHANDLECOUNTAD 32..#define CONTEXTHANDLECOUNTSTORE 34..#define BINDINGHANDLECOUNTSTORE 36..

                                                                                                                                                C:\Windows\INF\Outlook\outlperf.ini

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:Generic INItialization configuration [languages]
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2695
                                                                                                                                                Entropy (8bit):5.33674634085226
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:mJy8LzDyWt1D6lj50fvikpfNec0v6fevt8rN+rn9pNREVkWVmCU4ah6+65vq+69D:m/LzfzD6t50f1sZ6Wl8RerzEVkWh1am+
                                                                                                                                                MD5:509A7197AE66401D1DA76F4BAC1DD0A8
                                                                                                                                                SHA1:A30F0CF0161ADDBDD3B04B482FEF651EE4EAE322
                                                                                                                                                SHA-256:EE9E288C3495FD548FD49095BE08807F215FC0780064E179011098C0C7461A34
                                                                                                                                                SHA-512:4041C1073CB15ADA49D284CF612A95502CE74AC1EF69FD1B9DFDF84EDDD074150B6092C8534E49807AD3166F97127477E3497368AE845D369EBBFC2ACFC6C071
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[info]..drivername=Outlook..symbolfile=outlperf.h....[languages]..009=English....[text]..OBJECTTYPE_009_NAME=Outlook..OBJECTTYPE_009_HELP=Gives performance metrics for outlook server connectivity...RPCATTEMPTED_009_NAME=RPCs Attempted..RPCATTEMPTED_009_HELP=Number of RPCs that outlook attempted to send to the server...RPCSUCCEEDED_009_NAME=RPCs Succeeded..RPCSUCCEEDED_009_HELP=Number of RPCs that outlook successfully sent to the server...RPCFAILED_009_NAME=RPCs Failed..RPCFAILED_009_HELP=Number of RPCs that were attempted, but failed...RPCCANCEL_009_NAME=RPCs Cancelled..RPCCANCEL_009_HELP=Number of RPCs that were sent to the server, but the user cancelled...RPCSHOWN_009_NAME=RPCs UI Shown..RPCSHOWN_009_HELP=Number of RPCs that were sent to the server, and took long enough to show progress UI...RPCFOREGROUND_009_NAME=RPCs Attempted - UI..RPCFOREGROUND_009_HELP=Number of RPCs that outlook attempted that blocked the UI...RPCTIMEAVG_009_NAME=Time Avg (all)..RPCTIMEAVG_009_HELP=The average

                                                                                                                                                C:\Windows\SysWOW64\PerfStringBackup.INI

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):856456
                                                                                                                                                Entropy (8bit):3.424585245442674
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:nJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbO1gK/Spm3PfqKBLamVkqhwxpR8UUUF:C1nqgsp2OtBaiY
                                                                                                                                                MD5:DCCE5FDA282F7296C105A3873060F7E1
                                                                                                                                                SHA1:876013B7EB661FF7B33845DBFAD468D70B29EB39
                                                                                                                                                SHA-256:E2C4415CCAF2F1CCE8448F8EF0B297CE0BDD085FB36072F0E784F403ECC20082
                                                                                                                                                SHA-512:FEECE5A6337CF404312FA2C4CE55054104A3AF3531A78588A43836B5D4D94620CF3216E672935079D7C5DE4C10A576C54D075D76CA62340C8DD18F88EC6C71F6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.9.3.0.6.....L.a.s.t. .H.e.l.p.=.9.3.0.7.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.9.8.6.....F.i.r.s.t. .H.e.l.p.=.3.9.8.7.....L.a.s.t. .C.o.u.n.t.e.r.=.3.9.9.8.....L.a.s.t. .H.e.l.p.=.3.9.9.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.7.1.4.....F.i.r.s.t. .H.e.l.p.=.3.7.1.5.....L.a.s.t. .C.o.u.n.t.e.r.=.3.7.2.4.....L.a.s.t. .H.e.l.p.=.3.7.2.5.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.4.4.7.2.....F.i.r.s.t. .H.e.l.p.=.4.4.7.3.....L.a.s.t. .C.o.u.n.t.e.r.=.4.4.9.8.....L.a.s.t. .H.e.l.p.=.4.4.9.9.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.9.5.6.....F.i.r.s.t. .H.e.l.p.=.3.9.5.7.....L.a.s.t. .C.o.u.n.t.e.r.=.3.9.8.4.....L.a.s.t. .H.e.l.p.=.3.9.8.5.........[.P.E.R.F._...N.E.T. .

                                                                                                                                                C:\Windows\SysWOW64\PerfStringBackup.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):856456
                                                                                                                                                Entropy (8bit):3.424585245442674
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:nJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbO1gK/Spm3PfqKBLamVkqhwxpR8UUUF:C1nqgsp2OtBaiY
                                                                                                                                                MD5:DCCE5FDA282F7296C105A3873060F7E1
                                                                                                                                                SHA1:876013B7EB661FF7B33845DBFAD468D70B29EB39
                                                                                                                                                SHA-256:E2C4415CCAF2F1CCE8448F8EF0B297CE0BDD085FB36072F0E784F403ECC20082
                                                                                                                                                SHA-512:FEECE5A6337CF404312FA2C4CE55054104A3AF3531A78588A43836B5D4D94620CF3216E672935079D7C5DE4C10A576C54D075D76CA62340C8DD18F88EC6C71F6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.9.3.0.6.....L.a.s.t. .H.e.l.p.=.9.3.0.7.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.9.8.6.....F.i.r.s.t. .H.e.l.p.=.3.9.8.7.....L.a.s.t. .C.o.u.n.t.e.r.=.3.9.9.8.....L.a.s.t. .H.e.l.p.=.3.9.9.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.7.1.4.....F.i.r.s.t. .H.e.l.p.=.3.7.1.5.....L.a.s.t. .C.o.u.n.t.e.r.=.3.7.2.4.....L.a.s.t. .H.e.l.p.=.3.7.2.5.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.4.4.7.2.....F.i.r.s.t. .H.e.l.p.=.4.4.7.3.....L.a.s.t. .C.o.u.n.t.e.r.=.4.4.9.8.....L.a.s.t. .H.e.l.p.=.4.4.9.9.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.9.5.6.....F.i.r.s.t. .H.e.l.p.=.3.9.5.7.....L.a.s.t. .C.o.u.n.t.e.r.=.3.9.8.4.....L.a.s.t. .H.e.l.p.=.3.9.8.5.........[.P.E.R.F._...N.E.T. .

                                                                                                                                                C:\Windows\System32\perfc009.dat

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):133672
                                                                                                                                                Entropy (8bit):3.4045308547957878
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:X1iTIxFbXxIPoO2NAYW22glhzEmhVd0Rev54d:XtxFbXxIPoO2NAYW22glhzEpev54d
                                                                                                                                                MD5:CD989A7EF2086A5952A945991A8E731D
                                                                                                                                                SHA1:BF9DBF42367872448D1A8C107C132C5C6355D156
                                                                                                                                                SHA-256:A9DD4213B016C7C37E18394710657327BB6DD083A6EBF9D97D94A31829A630E1
                                                                                                                                                SHA-512:EEA18B26AC27C2F03F7FE115439EA4BE713680B58C403ABAD3668ECE50CFE63A730E28AEC2249988237B8133C4BD9C1F17106C7FB004BDA4E0BBB0F7FF94035A
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

                                                                                                                                                C:\Windows\System32\perfh009.dat

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):711942
                                                                                                                                                Entropy (8bit):3.2750038779489223
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHd1zsS3MgjBmbsCJnpEiLxVrFfarYCH6b/o:78M6d0lBb/8c
                                                                                                                                                MD5:E7524976DB303DF6346CF3024872DD9C
                                                                                                                                                SHA1:31CAF98E58524AB40F9A786F4504869AFABA1F3A
                                                                                                                                                SHA-256:2CDA416A24A4B10CC28E873E038CED3207D1EFB4A1D07A4594D5728B48EAE4FD
                                                                                                                                                SHA-512:D87AB126F26BE07DFF3928D8D1AC2496531410DDFBFA2D7D24A8E53BCF12A95FEE9789C061722414885621277732C1F33540BFE9A75D36DE68D51411ECF176E4
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:RFC 822 mail, ASCII text, with very long lines (400), with CRLF line terminators
                                                                                                                                                Entropy (8bit):6.049314989702536
                                                                                                                                                TrID:
                                                                                                                                                • E-Mail message (Var. 5) (54515/1) 100.00%
                                                                                                                                                File name:nested-a.manasova@mlsp.kg.eml
                                                                                                                                                File size:10117
                                                                                                                                                MD5:4a7e15c9c669418b6397e95d1f15335b
                                                                                                                                                SHA1:0bd5e0e1e025b5e9e1d97fc2975695d7604195aa
                                                                                                                                                SHA256:648c7defd331df51001dee4b874a404d67ebc8ca8f21775f27e0581405e061cd
                                                                                                                                                SHA512:ef97a123e897117c576edc688e1c301579837f7857b97535dff354716b6570c7d4c9ea959b950d4dd1d402101f7bbd58cbaf0c7b38aa49be4075dea3365b562d
                                                                                                                                                SSDEEP:192:e0/0S4aT9cjNsW+nzPFNSX3JKMgwtfG9ep0FetnjWfIuWG:F/0S4axcjNsWqPQJQMHp4eZjsIu5
                                                                                                                                                TLSH:9C22F561870B1013F7A251A42D066D1D8151F891F2FFA6803C5F36BF13DFA3ABEA5899
                                                                                                                                                File Content Preview:Received: from DM6PR03CA0001.namprd03.prod.outlook.com (2603:10b6:5:40::14) by.. SN7PR20MB5286.namprd20.prod.outlook.com (2603:10b6:806:265::18) with.. Microsoft SMTP Server (version=TLS1_2,.. cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.23

                                                                                                                                                Static Mail

                                                                                                                                                General

                                                                                                                                                Subject:[EXT]NOTIFICATION
                                                                                                                                                From:ICT <a.manasova@mlsp.kg>
                                                                                                                                                To:Undisclosed recipients:;
                                                                                                                                                Cc:
                                                                                                                                                BCC:
                                                                                                                                                Date:Sat, 20 May 2023 15:00:12 +0600
                                                                                                                                                Communications:
                                                                                                                                                • CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe! ________________________________ Dear User We have completed scheduled maintenance on our Zimbra Webmail Portal. To confirm that your account has not been disabled by this process, please verify your account. ZIMBRA LOGIN<https://comfirmationandverification.duartemobilerepair.com/> We apologize for any inconveniences this may have caused. Thank you!
                                                                                                                                                Attachments:

                                                                                                                                                  Headers

                                                                                                                                                  Key Value
                                                                                                                                                  Receivedfrom mail.mlsp.kg (mail.mlsp.kg [10.20.2.10]) by mail.mlsp.kg (Postfix) with ESMTP id 3F41373E1398; Sat, 20 May 2023 15:00:12 +0600 (+06)
                                                                                                                                                  Authentication-Resultsspf=none (sender IP is 195.38.189.98) smtp.mailfrom=mlsp.kg; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mlsp.kg;compauth=pass reason=105
                                                                                                                                                  Received-SPFNone (protection.outlook.com: mlsp.kg does not designate permitted sender hosts)
                                                                                                                                                  X-Virus-Scannedamavisd-new at mlsp.kg
                                                                                                                                                  DateSat, 20 May 2023 15:00:12 +0600
                                                                                                                                                  FromICT <a.manasova@mlsp.kg>
                                                                                                                                                  Message-ID<1496263039.6680753.1684573212209.JavaMail.zimbra@mlsp.kg>
                                                                                                                                                  Subject[EXT]NOTIFICATION
                                                                                                                                                  MIME-Version1.0
                                                                                                                                                  Content-Typemultipart/alternative; boundary="=_ceb769e5-3e09-4376-94d4-edfcf87eebcd"
                                                                                                                                                  X-Originating-IP[105.112.211.216]
                                                                                                                                                  X-MailerZimbra 8.8.15_GA_3963 (zclient/8.8.15_GA_3963)
                                                                                                                                                  Thread-Index5JpLQA6LxUwh0MPq59uFAvFhnnk3Ug==
                                                                                                                                                  ToUndisclosed recipients:;
                                                                                                                                                  Return-Patha.manasova@mlsp.kg
                                                                                                                                                  X-EOPAttributedMessage0
                                                                                                                                                  X-EOPTenantAttributedMessagee891bb7b-7454-4bbc-b0ab-b73ce78b3f69:0
                                                                                                                                                  X-MS-PublicTrafficTypeEmail
                                                                                                                                                  X-MS-TrafficTypeDiagnosticDM6NAM12FT052:EE_|SN7PR20MB5286:EE_
                                                                                                                                                  X-MS-Office365-Filtering-Correlation-Id1c43865e-f328-4d7e-ecb0-08db59173ca9
                                                                                                                                                  X-Forefront-Antispam-Report CIP:195.38.189.98;CTRY:KG;LANG:en;SCL:8;SRV:;IPV:NLI;SFV:SPM;H:mail.mlsp.kg;PTR:InfoDomainNonexistent;CAT:HPHISH;SFTY:9.25;SFS:(13230028)(109986019)(451199021)(5202899009)(5660300002)(1096003)(356005)(8676002)(81166007)(2616005)(26005)(166002)(6266002)(36756003)(15650500001)(86362001)(22186003)(336012)(426003)(83380400001)(450100002)(58800400005)(33964004)(7696005)(83406005)(19490400016);DIR:INB;
                                                                                                                                                  X-Microsoft-AntispamBCL:0;
                                                                                                                                                  X-Microsoft-Antispam-Message-Info aSg2BzELl+Vat1huo2hjJHtqyA6MDm7B3LIj3mTSVlo9FKP4a0YWeuONERTStW1rm7dQISh9fmlXRc2iK/bPwFR8tZb8Ctrc+pd7LOC8TDw8li5RHAWMWY3lofqTTuCMlRwuN+tX2GZv/nRIwfGgtgpetz9WbY9ljGmdguW2GiMp1QdXrHapqY6nQDHuCINDWMEhF6Tywe5X+se6jxd/e389ArANhndl7g1vkeEhARojMtBDzdOQqAMPhRfuZK8EG5dox/t/btynCRLb9n0SbQ/hX/o+sMvC9HYFZaZW0hJfAGWLoqrt8kyzKU8z1DVe9uA9mbdMwEAucpZIW/Q0RgntVCbI787ptHfA+xkSYIIu9CVD3GgJKXCxQKnflEJVy6wjdDjS/x7gwXilI3pc4DLiGSGRM5aDc+qeu/EAMvbHYKzAaEYR7QaDFzD+c5gEkXqNDyjkd33J/G2NqWPhY71hKP8tFHyb3czhJpCO4ijwjkvTrNiCGz2st5k0zbiH2apnh3byvI99XhQZbAXLdlHPHzfNHkOteKibEH32qD8UmHSISPJmm7x36qs8+x0YR53usOpIcGce2R2F8eh0JgI/WYYQ0hq7pw5TVjXZl+64Y/XkoiaQUqzqFDPWSQHPxPFEmr5bCFX2NTpamcVoDoStQEg+RvuF8TY1rbnjcyPRqYFG61o2cTidwxEzqqMxiTftzDdoWeu44p6z+amCsdpCEfLe9BzevYDT7NmtoeEHd8VIsFgok2dVLLonqzpuFXHYHLao1WdV9AgNfY9+d1IsSjsSiY7cK0D/BUjCppZ7QhJm4OI8slcssf6G5X/ptx2onQOGDmlnwFKYGoG+m7VKpjYhu/j202tNbyj472DQZPT5KPJ9fVS9CTp43BYzxGn6XbUfd3cgF5nu7Ni4DyhbSSoPl9W/5FiiR+FIF7gq/BPDXwMsRMHNkJ3TodnjzQH2NsU6s2RfKVPVEfHB0IX9TVIkP5NxU6DOThh754GC6tXe46upGuMwRATzM7ujQ410g1bSxc4W4W4mgUFjDxdhAgD0BNvF7/6OTFJcXgkmHLQUK91FiWO7vNOqE6WzV7shUmjIKa4mZJ40kFT21lB1R3XTIQd6Cmudoqz2nFEP+B4eYGob4mZdoNkEnm8IGx7FrOcn3Ib+udd/Q59XXyY84pOelwCRpu14AC50cavP84xCnUrLDQ6LfJeRAubKO5jSTovwZG4UUzdYMqhwXZPBu8aIH+zEltb6wcS0OMlphqReVDa7Qfck2ocrTheI2l8TOCnLaCfSAl5l/KGyI2/tyRT19fG9CuV0TCsQiVhhJg+GZPqIsblSui0ee7/d2sRMxogTf2ODxwrVQDJX9NSc7KO6hbB2IF9wBQXk/Lng0D1Vtv42XPFqZEh+8ipX2bhHnTuMbugPzZz+GQZytUyOZY9HTnkrzb23o7sRD44/r2qXhzKjw2RpfEwU+4FFqFlVS2G3jt7KOZ4lZ939po5OWlGoIJsk2CnoRRyqV2j3PhjFz0kn4fyhj/lM0pYPOziTq/yQfbBLPrOpEy81cTozhxmETUjAJsabSMmnhBskOyiSDqYhkWpT8D+J7o1qfIV94pwNyXeBrIZaHJx4yEGDCmOLWEXpAJvR2rddG0ZZnl8KGh4RCuRLy4gKE2UOv/KamYZV472VNjivk/NiQiJ1rJumiWDjqlCsaZ8jJXGwS9TdqQcoB/Au2YgboCLIokGKZyrcmdkqzRFIWMTZPtT3jOKvmhssfJvXIpU4wElssxErh0mL0khaVyO9za99F7H8BeA9LfhKWbNW3wQngxgTEGfnWyorrj0/Gw9uvWCt3onLyV5PfFPUEv3dHbDRuI7wVUBmhB6oNl8hL3mHVJPEQgvkZk7nOeWq+KAhhas4Yf4QKqrKoW+9EVPsVKdBSEbkwhzKL0T8VoF/aJVRfJkoctLhbiobJKKr7BbbNLAgHCRr8ZTdJ62DwVS7BAlXOpqvAH+RkZEd36upIeuOsGrLpYD2LbWfrmrWFFg0U/4Vcnp0r6vJ2PRz4rzqVvu6Epz0SYmcc53TT4HKMQ/ADiXrIR77ZjizkVGyJIbVEFMOwXtWvwCh1mll0a3pDjtt0CJpUhtJui59jT/DS9fu11Y4+1SObagHT8muFMmZvHaif5YdkGYLESobj0SQc+bNDIR4MyL7hwbOUABSsH5TEmnUDNvufI4BgmHYSHdb52Jw0Anf2gKKdO3068r6W/6GP8OXbEdydmRmmJuec3CvCVBKAr5C7sfiu9WUj770C1zX8m6aQs5aIJ3l12N/9M8Ig6ANjXGbH1R2uXRq8BttJKTzJpFyOQoDQ53FxM2Z6ULMQBt9V6uvS6Xxf7mNp3aCJTVLzakkq+rOsqhUi5DSS1oQ3EqyBku9O6H2VkzlbBS663syKXRoNho01gCtXEiXnRzQeq0RHD8GS3c6Z+eBNqffg46nP2IJZTruSP+6GroSERhHIMi7RNfTm5z/782UwOxJJFzY/TXmt0+ZIwqKIIZHgJDy8MbPrl1E2/ORTg+59O66OPHZ+C3N0DFwtya7dJyVU+w49sehZH/0yT0216V7m4ydHsEZ9+9r9/izYuXcdjEyF8YzIZe5yPkvKWG2CDFhq30Jlbi3pFU4EsLl7PVXG7oOGw+Vw+aWAKPEPVurRhoCP/+iI28PI3Q+6bW70Ioly1cq2SnCCf2tPC8uoT4b0NUlVqeQz9CWVgjab8o2bkFgdNna0B8CZcvPf+iTuMtDXbfGG1IFHup5HRtpOGz4NaLhwGW/SXfMAqHpxvc=

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:0f03ccca8acc0b0f

                                                                                                                                                  Network Behavior

                                                                                                                                                  No network behavior found

                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:17:12:15
                                                                                                                                                  Start date:06/06/2023
                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\PROGRA~2\MICROS~1\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-a.manasova@mlsp.kg.eml
                                                                                                                                                  Imagebase:0x1310000
                                                                                                                                                  File size:23291112 bytes
                                                                                                                                                  MD5 hash:7DD935BA9B57D9D7EFF63C67653E70B5
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:moderate

                                                                                                                                                  Disassembly

                                                                                                                                                  No disassembly