Edit tour

Windows Analysis Report
invite.ics

Overview

General Information

Sample name:	invite.ics
Analysis ID:	1428535
MD5:	e0891ee97e8a6c1192ffa288e5e4dd78
SHA1:	749f1a5b6119829e698c4e6919074a9fed4d9e5f
SHA256:	e82d87ea9d4202cdb387794edf21dcb2a59fa89f611999c003c896031764621e
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 7528 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /ical "C:\Users\user\Desktop\invite.ics" MD5: 91A5292942864110ED734005B7E005C0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.office.net
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://api.scheduler.
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://augloop.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: invite.ics	String found in binary or memory: https://calendly.com/
Source: invite.ics	String found in binary or memory: https://calendly.com/events/ad6170e9
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://cdn.entity.
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://cortana.ai
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://cr.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://directory.services.
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ecs.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://graph.windows.net
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://invites.office.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://login.windows.local
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://management.azure.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://management.azure.com/
Source: invite.ics	String found in binary or memory: https://meet.google.com/amn-fyaz-hpv
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://outlook.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://substrate.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://tasks.office.com
Source: invite.ics	String found in binary or memory: https://tel.meet/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: clean0.winICS@1/12@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Microsoft\FORMS

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Modify Registry	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
invite.ics	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://otelrules.svc.static.microsoft	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://login.microsoftonline.com/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://shell.suite.office.com:1443	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://autodiscover-s.outlook.com/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://useraudit.o365auditrealtimeingestion.manage.office.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://outlook.office365.com/connectors	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://cdn.entity.	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://powerlift.acompli.net	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://cortana.ai	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/imports	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://api.aadrm.com/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://www.yammer.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://api.microsoftstream.com/api/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://cr.office.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		low
https://messagebroker.mobile.m365.svc.cloud.microsoft	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://edge.skype.com/registrar/prod	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://graph.ppe.windows.net	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://officeci.azurewebsites.net/api/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://api.scheduler.	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://outlook.office.com/autosuggest/api/v1/init?cvid=	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://globaldisco.crm.dynamics.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://messaging.engagement.office.com/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://dev0-api.acompli.net/autodetect	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://web.microsoftstream.com/video/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://dataservice.o365filtering.com/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://outlook.office365.com/autodiscover/autodiscover.json	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://consent.config.office.com/consentcheckin/v1.0/consents	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://d.docs.live.net	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://ncus.contentsync.	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
http://weather.service.msn.com/data.aspx	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://apis.live.net/v5.0/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://meet.google.com/amn-fyaz-hpv	invite.ics	false		high
https://templatesmetadata.office.net/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://messaging.lifecycle.office.com/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://pushchannel.1drv.ms	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://management.azure.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://outlook.office365.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://wus2.contentsync.	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://make.powerautomate.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://tel.meet/	invite.ics	false		unknown
https://outlook.office365.com/api/v1.0/me/Activities	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://api.office.net	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://incidents.diagnosticssdf.office.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://entitlement.diagnostics.office.com	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high
https://substrate.office.com/search/api/v2/init	517F07F3-F516-4D44-BE42-7DD45F243AA4.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428535
Start date and time:	2024-04-19 06:52:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	invite.ics
Detection:	CLEAN
Classification:	clean0.winICS@1/12@0/0
Cookbook Comments:	Found application associated with file extension: .ics

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.8.89, 52.113.194.132, 52.109.16.112, 72.21.81.240
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, cus-config.officeapps.live.com, osiprod-ncus-buff-azsc-000.northcentralus.cloudapp.azure.com, wu.azureedge.net, ncus-azsc-000.roaming.officeapps.live.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, officeclient.microsoft.com, ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, ecs.office.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.458354564870144
Encrypted:	false
SSDEEP:	6:kKJy8piJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:0AkPlE99SCQl2DUevat
MD5:	3A310BA0937357C65830045EE7DCE6E1
SHA1:	317DD4CE785B4D313162E756BBC0E0625183C562
SHA-256:	46CD661C6F4F056AA45C80BF398396C27FE1495B047CAADAC8C1580AD8D2C6B3
SHA-512:	B6CCFD837BA984CC51A93EC0B7E527B00157FD6BEC6553E01B6551D74B4EE553870A56F5B7CE346943892E9D80F74A887EC7994642466B24BF49CBA14C76F2E1
Malicious:	false
Reputation:	low
Preview:	p...... ........Cu.....(...............................................R...@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	245980
Entropy (8bit):	4.353434324053558
Encrypted:	false
SSDEEP:	3072:RlDgGprg7miGu2XqoQ2rt0FvBAwYClvB9j:Xrimi262wYClvBd
MD5:	1F1589F66BC504680BB617180C3B5625
SHA1:	6DF92EFFCCF5A4149D2B88230058ECF17A8A5C31
SHA-256:	787B2DD835B8767C9EF51E68F24F466DE398298473BF10597B59FA707DB65C98
SHA-512:	3574EFCD9E0CC6087864100726C012C1433209335CB0F7DF3E668C4504EFA2EBAACC6DE3196253AFBBB698906948CE4E5DD253FA4C01FE1CE7B0B37694B374EB
Malicious:	false
Reputation:	low
Preview:	TH02...... .PT..........SM01........................IPM.TaskRequest.Decline........h...............h......"j....H..h...............h.........,.vH..h.... ..........h....0..........h...............h...............h=i;.H.....`....h....P....}\|j...0....\...$...........l.........2h...............k...........F..!h0-.j.......... h..............#h....8.........$h........@....."h..............'h.........P{j..1h..............0h........4...../h............H..h..Dj .........-h....0........+h....4....................... ..............FS..............FIPM.TaskRequest.Decline.Form....Standard.@x.Task Decline.G..IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1111110000000000....Microsoft.p.This form is used to decline a task request.........kf...... ..........&...........(.......(... ...@...............................................................................................................................D@..............D@x.............DG...p..........DH..www.wwp.....

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\517F07F3-F516-4D44-BE42-7DD45F243AA4

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	166203
Entropy (8bit):	5.340918878832348
Encrypted:	false
SSDEEP:	1536:5+C7FPgOsB3U9guwwJQ9DQA+zqzhQik4F77nXmvYd8XRTEwreOR6g:gIQ9DQA+zqzMXeMJ
MD5:	81236284D4A888FD25E034D75D34CE35
SHA1:	E1AA4CB9D7117418EA5D11A47FBF04FEF942AEB5
SHA-256:	75E4264C38F077811539DCAAFEADDF6E33167AFF1049B611F572B9144F4B6161
SHA-512:	620BB6CBFE368877F86F2F6D4DF7DDA868FFAC1903B6B47823D413CD08B64F086C5B38C80DCA29E39B94DC1AAB9038DE4197C9C0D1E387B101757F2925D05186
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-04-19T04:53:42">.. Build: 16.0.17609.40129-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09216609452072291
Encrypted:	false
SSDEEP:	3:lSWFN3l/klslpF/4llfll:l9F8E0/
MD5:	F138A66469C10D5761C6CBB36F2163C3
SHA1:	EEA136206474280549586923B7A4A3C6D5DB1E25
SHA-256:	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
SHA-512:	9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.13760166725504608
Encrypted:	false
SSDEEP:	3:7FEG2l+pk+/l/FllkpMRgSWbNFl/sl+ltlslVlllfllpE:7+/lSkgg9bNFlEs1EP/a
MD5:	F4F1298041AA7251D8F1AE26074B2933
SHA1:	5DEB1B81ADE519D435AC954F9DDAB516FC8BCC07
SHA-256:	0B0D6E5B2388EBB2254C8F3C5DCDEC46C5F6DB1E9C5C8CB7F707DC393F978E22
SHA-512:	57889EB167BAF7A856DF7B5807308D3169AE67901096F9528C1D25122F34D4A7E64C0D87FC64D8B400C28671FB9B9E9B9126047A6D7B45DFE0D2B42DD6E8FE2C
Malicious:	false
Reputation:	low
Preview:	.... .c.....:_.!....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04470641479249482
Encrypted:	false
SSDEEP:	6:G4l2i+XAOxHNl2i+XAOpllML9XXPH4l942U:l2NX2VllM5A0
MD5:	451B5C512B330D7AFEA192A2CE888D3E
SHA1:	3D14CE953CF06F74CB961E6FC917156829F88667
SHA-256:	E2719E3275D1C7EFBC47E3500FBEBF0C419289E7C8854DDDB9699EBCA82B9621
SHA-512:	C95E1505D30FCEA33B9B1C6F4807D7DC8226F33D305E5C2184A96972546F362B2A1566B1A2013D5B8092F93AAC4FBE7D8A2F48F7EBF3B59DF881AC00DF5EC88A
Malicious:	false
Reputation:	low
Preview:	..-.....................bG...%.kdv.......1Sz..(..-.....................bG...%.kdv.......1Sz..(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	45352
Entropy (8bit):	0.39465578872612783
Encrypted:	false
SSDEEP:	24:KTNTXucyQ3zRDfn4LaNXUll7DBtDi4kZERDtkAZTzqt8VtbDBtDi4kZERDfL:eX1yQ1DDUll7DYMJtzO8VFDYM
MD5:	B3A8AB8B368FB99B4396DF0BFEB9D7CC
SHA1:	379ACF9194F060AA19E91EE7A78FEBA67A678942
SHA-256:	06E709CAF73AA67FE7DDAF61A5EFE3DE27835A55893F3986478680A0B26E053B
SHA-512:	147471A986FD121EC0B78122E3FA35E43D582BFBA293DE925A4ABB1EC4BD183CF1CFDB5B9C763FA15483DFC2A80A997CB2A8F25EFC18250BD2495B4314F5C7F2
Malicious:	false
Reputation:	low
Preview:	7....-..........dv.......jywy..*........dv.........Q..V.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8558828373511207
Encrypted:	false
SSDEEP:	48:uiTrlKxsxxgxl9Il8u/ssRH402FMYvEg2iVd1rc:vMYpsP0IvEg2ie
MD5:	9FC3F34061993F6635E915235A51CB4B
SHA1:	5C3ED712F92F0EF44D4650DCEE8AE67AFBE5A03A
SHA-256:	A0FEABE544D9792EC00C0625BBA6F10E12C9C4F935273B548A472FFAB49C8E36
SHA-512:	0FA2F92C519C2097667DA7761CC39CA529C96165D5BBDDCDB6AEE05CAF608AB29E43582B4278ED8F442AE61463B8B40F5A96328B8EE20CCD6C93602D82A7D119
Malicious:	false
Reputation:	low
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.L.f.c.7.h.2.S.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.z.H.8.X.m.Y.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	4542
Entropy (8bit):	3.9979982676776467
Encrypted:	false
SSDEEP:	96:UYps4A40hLpuVRDZoEUPOqbtYzVUVjXmjFaeOvqBNhq:UOAxhNcRD2XPjbt8VEjTqBbq
MD5:	320953473DF765895D536710C30ECEE0
SHA1:	FC1FD67FF906CE4549D1A57805A5B71477A67EB3
SHA-256:	D26C68D0E881671CB857D0C2B533B221B92EA5AA5FC3A71FC42C1DB11F5E2F5B
SHA-512:	56E00C02EC0021C1312A0517582BA0A3F47F60F2445FFD14094D9EB79C2F4F85F207EB170449C20C2579C49CA8BD195F8D9CF294CF1DDA50BF10A0B17EACE1B9
Malicious:	false
Reputation:	low
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".l.w.z.u.1.B.W.S.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.z.H.8.X.m.Y.

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713502420675571000_6442D4D5-E32F-490B-8A72-BCFD6AD63A44.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (778), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.003810985661116667
Encrypted:	false
SSDEEP:	192:LxgvdKTn1jNNOYhnkp4qkbWkkPJBPoxZ:LxKAT1jWYhnS9kbWkUJBgx
MD5:	7D49D4D117CDBE156BBAFD3DC8CA5A7E
SHA1:	EBFD3D982466583F5EB7229D030B0B4ABA1DF8A8
SHA-256:	43365AB187E0CF3B4C86D18D16267DB04945D7273F2CCCFD1F4CD308A03A17B5
SHA-512:	149EA515D0F151C6A42632CF597EC9035F050ECAD84A6BD32D6D3568753538A7DDDA45BACE20C90E0205F48821344090471DDD9CD1653462FE72480C8883B44A
Malicious:	false
Reputation:	low
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..04/19/2024 04:53:40.854.OUTLOOK (0x1D68).0x1DD0.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":20,"Time":"2024-04-19T04:53:40.854Z","Contract":"Office.System.Activity","Activity.CV":"1dRCZC/jC0mKcrz9atY6RA.10.1","Activity.Duration":140,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...04/19/2024 04:53:40.869.OUTLOOK (0x1D68).0x1DD0.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":21,"Time":"2024-04-19T04:53:40.869Z","Contract":"Office.System.Activity","Activity.CV":"1dRCZC/jC0mKcrz9atY6RA.10","Activity.Duration":2380,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713502420676320200_6442D4D5-E32F-490B-8A72-BCFD6AD63A44.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240419T0653390838-7528.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	4.384273890319616
Encrypted:	false
SSDEEP:	384:Tw+rTC6eKNvIy5m/3WXeYQhqgGyeE2KHf2gAXnmLcz+cRFqXuTVtu36Rbbtf2siV:8+m8NnM0V0aV2s/3O
MD5:	1C1FF797A92C8F63FE2901D24C405ECF
SHA1:	6D0C5C4EDDA85117EE305E07DC746E6112B165F9
SHA-256:	1CBE5D756EECA35E2FA03BFB4BD1B2B45E4C4164843BDDF814C4ACA8149F2617
SHA-512:	F40698E95063EE7E78BB9DD07EFEFE54D9C6E1B49E3AC7991CD5EC7B8DBC4B6E4A79D9E6F18D0A1CC1154A8F543D6D47B215A03B9FBB6E74919CF36170582E9F
Malicious:	false
Reputation:	low
Preview:	............................................................................b...l...h.........................eJ..............Zb..2.......................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1...........................................................0T}...........................v.2._.O.U.T.L.O.O.K.:.1.d.6.8.:.5.5.e.1.3.b.a.d.9.0.a.f.4.6.e.c.b.8.a.8.9.6.5.8.4.d.2.9.1.1.5.8...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.4.1.9.T.0.6.5.3.3.9.0.8.3.8.-.7.5.2.8...e.t.l.............P.P.l...h.........................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	vCalendar calendar file
Entropy (8bit):	5.699394261370027
TrID:	iCalendar - vCalendar (13006/1) 100.00%
File name:	invite.ics
File size:	4'215 bytes
MD5:	e0891ee97e8a6c1192ffa288e5e4dd78
SHA1:	749f1a5b6119829e698c4e6919074a9fed4d9e5f
SHA256:	e82d87ea9d4202cdb387794edf21dcb2a59fa89f611999c003c896031764621e
SHA512:	3c526c42735f7109d5c3ad7e1c39a5fe34df9cba325d2cf9f475f11ecd8d9027127943c98387cf626db6a0e50da1345e8eb98d7c3d0152ad129c031fbe73cf94
SSDEEP:	96:EgfoO1k4irU0tAnpWs2gEs93TIiZ1jIn04uzXDjerJUii:do/sLpMsmlVi
TLSH:	1C9164E3B7E937B9450446DCB4D8757AFEEF2CAE88C84268F056915A00C4C1CDAB3E48
File Content Preview:	BEGIN:VCALENDAR..PRODID:-//Google Inc//Google Calendar 70.9054//EN..VERSION:2.0..CALSCALE:GREGORIAN..METHOD:REQUEST..BEGIN:VTIMEZONE..TZID:Asia/Bangkok..X-LIC-LOCATION:Asia/Bangkok..BEGIN:STANDARD..TZOFFSETFROM:+0700..TZOFFSETTO:+0700..TZNAME:+07..DTSTART

File Icon


Icon Hash:	69a88280a28280a2

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: OUTLOOK.EXEPID: 7528, Parent PID: 2580

General

Target ID:	0
Start time:	06:53:38
Start date:	19/04/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /ical "C:\Users\user\Desktop\invite.ics"
Imagebase:	0xaa0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report invite.ics

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\517F07F3-F516-4D44-BE42-7DD45F243AA4

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713502420675571000_6442D4D5-E32F-490B-8A72-BCFD6AD63A44.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713502420676320200_6442D4D5-E32F-490B-8A72-BCFD6AD63A44.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240419T0653390838-7528.etl

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: OUTLOOK.EXEPID: 7528, Parent PID: 2580

General

Chronological Activities

Disassembly

Windows Analysis Report
invite.ics