IOC Report
Fwd_ Money-Back Fund Recovery Avtal.msg

loading gif

Files

File Path
Type
Category
Malicious
Fwd_ Money-Back Fund Recovery Avtal.msg
CDFV2 Microsoft Outlook Message
initial sample
C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
data
dropped
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\48B20F25-693B-4953-AE33-6DC7E35E4C09
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E172931.dat
PNG image data, 82 x 97, 8-bit/color RGBA, non-interlaced
modified
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{03D323D6-A084-447A-BE3F-719FAF9418DA}.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\~DFB841930F9A1C369D.TMP
data
dropped
C:\Users\user\Documents\Outlook Files\Outlook.pst
Microsoft Outlook email folder (>=2003)
dropped
C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp
data
dropped
C:\Windows\INF\Outlook\outlperf.h
ASCII text, with CRLF line terminators
dropped
C:\Windows\INF\Outlook\outlperf.ini
Generic INItialization configuration [languages]
dropped
C:\Windows\SysWOW64\PerfStringBackup.INI
data
dropped
C:\Windows\SysWOW64\PerfStringBackup.TMP
data
dropped
C:\Windows\System32\perfc009.dat
data
dropped
C:\Windows\System32\perfh009.dat
data
dropped
There are 4 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Fwd_ Money-Back Fund Recovery Avtal.msg

URLs

Name
IP
Malicious
https://api.diagnosticssdf.office.com
unknown
https://login.microsoftonline.com/
unknown
https://shell.suite.office.com:1443
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
unknown
https://autodiscover-s.outlook.com/
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
unknown
https://cdn.entity.
unknown
https://api.addins.omex.office.net/appinfo/query
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
unknown
https://powerlift.acompli.net
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com
unknown
https://lookup.onenote.com/lookup/geolocation/v1
unknown
https://cortana.ai
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
https://cloudfiles.onenote.com/upload.aspx
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
unknown
https://entitlement.diagnosticssdf.office.com
unknown
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
unknown
https://api.aadrm.com/
unknown
https://ofcrecsvcapi-int.azurewebsites.net/
unknown
https://www.yammer.com
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
unknown
https://api.microsoftstream.com/api/
unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
unknown
https://cr.office.com
unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
unknown
https://portal.office.com/account/?ref=ClientMeControl
unknown
https://graph.ppe.windows.net
unknown
https://res.getmicrosoftkey.com/api/redemptionevents
unknown
https://powerlift-frontdesk.acompli.net
unknown
https://tasks.office.com
unknown
https://officeci.azurewebsites.net/api/
unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
unknown
https://api.scheduler.
unknown
https://my.microsoftpersonalcontent.com
unknown
https://store.office.cn/addinstemplate
unknown
https://api.aadrm.com
unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=
unknown
https://globaldisco.crm.dynamics.com
unknown
https://messaging.engagement.office.com/
unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
https://dev0-api.acompli.net/autodetect
unknown
https://www.odwebp.svc.ms
unknown
https://api.diagnosticssdf.office.com/v2/feedback
unknown
https://api.powerbi.com/v1.0/myorg/groups
unknown
https://web.microsoftstream.com/video/
unknown
https://api.addins.store.officeppe.com/addinstemplate
unknown
https://graph.windows.net
unknown
https://dataservice.o365filtering.com/
unknown
https://officesetup.getmicrosoftkey.com
unknown
https://analysis.windows.net/powerbi/api
unknown
https://prod-global-autodetect.acompli.net/autodetect
unknown
https://outlook.office365.com/autodiscover/autodiscover.json
unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
unknown
https://consent.config.office.com/consentcheckin/v1.0/consents
unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
unknown
https://d.docs.live.net
unknown
https://ncus.contentsync.
unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
unknown
http://weather.service.msn.com/data.aspx
unknown
https://apis.live.net/v5.0/
unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
unknown
https://messaging.lifecycle.office.com/
unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
unknown
https://pushchannel.1drv.ms
unknown
https://management.azure.com
unknown
https://outlook.office365.com
unknown
https://wus2.contentsync.
unknown
https://incidents.diagnostics.office.com
unknown
https://clients.config.office.net/user/v1.0/ios
unknown
https://make.powerautomate.com
unknown
https://insertmedia.bing.office.net/odc/insertmedia
unknown
https://o365auditrealtimeingestion.manage.office.com
unknown
https://outlook.office365.com/api/v1.0/me/Activities
unknown
https://api.office.net
unknown
https://incidents.diagnosticssdf.office.com
unknown
https://asgsmsproxyapi.azurewebsites.net/
unknown
https://clients.config.office.net/user/v1.0/android/policies
unknown
https://entitlement.diagnostics.office.com
unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
unknown
https://substrate.office.com/search/api/v2/init
unknown
https://outlook.office.com/
unknown
https://storage.live.com/clientlogs/uploadlocation
unknown
https://login.windows.local
unknown
https://outlook.office365.com/
unknown
https://webshell.suite.office.com
unknown
http://schema.org
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
unknown
https://substrate.office.com/search/api/v1/SearchHistory
unknown
https://management.azure.com/
unknown
https://messaging.lifecycle.office.com/getcustommessage16
unknown
https://api.officescripts.microsoftusercontent.com/api
unknown
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
unknown
https://login.windows.net/common/oauth2/authorize
unknown
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
unknown
There are 90 hidden URLs, click here to show them.

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
*v4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
+v4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
PerfIniFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
Updating
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
Last Counter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
Last Help
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
First Counter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
First Help
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
RemoteClearDate
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3
Last
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
FilePath
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
StartDate
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
EndDate
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
Properties
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
Url
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
LastClean
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DisableWinHttpCertAuth
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DisableIsOwnerRegex
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DisableSessionAwareHttpClose
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DisableADALForExtendedApps
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DisableADALSetSilentAuth
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
msoridDisableGuestCredProvider
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
msoridDisableOstringReplace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
WORDSharedFiles
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail
FirstRunOnRTM
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
f 4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Display Types\Balloons
HWND64ForOrphanedNotIcon
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
# 4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
# 4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
# 4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
# 4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
# 4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
# 4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
# 4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
# 4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
11023d05
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents
LastPurgeTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
ProductFiles
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
OUTLOOKFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
EXCELFiles
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\SQM
SQMSessionNumber
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\SQM
SQMSessionDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
Last Counter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
Last Help
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
00030429
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage
OutlookMAPI2Intl_1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
OutlookMAPI2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
OUTLOOKFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
WORDFiles
HKEY_CURRENT_USER\Software\Microsoft\Exchange\Forms Registry
CacheSyncCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
ProductFiles
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingConfigurableSettings
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingLastSyncTime
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingLastWriteTime
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
000b046b
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
ColleagueImport.ColleagueImportAddin
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\ColleagueImport.ColleagueImportAddin
1
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\Microsoft.VbaAddinForOutlook.1
1
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
OneNote.OutlookAddin
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin
1
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
OscAddin.Connect
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\OscAddin.Connect
1
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
UCAddin.LyncAddin.1
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\UCAddin.LyncAddin.1
1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage
OUTLOOKFilesIntl_1033
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
UmOutlookAddin.FormRegionAddin
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\UmOutlookAddin.FormRegionAddin
1
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
WORDFiles
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Search\Catalog
C:\Users\user\Documents\Outlook Files\Outlook.pst
There are 75 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
249906EF000
heap
page read and write
24991460000
trusted library allocation
page read and write
249907A0000
trusted library allocation
page read and write
B1BF7F9000
stack
page read and write
B1BF6FE000
stack
page read and write
B1BF87F000
stack
page read and write
24990680000
trusted library allocation
page read and write
249906B1000
heap
page read and write
24990660000
heap
page read and write
249906E7000
heap
page read and write
B1BF8FF000
stack
page read and write
249905F0000
heap
page read and write
B1BF3EC000
stack
page read and write
24990670000
trusted library allocation
page read and write
249906A0000
heap
page read and write
24990490000
heap
page read and write
B1BF9FC000
stack
page read and write
249906EF000
heap
page read and write
249913E0000
trusted library allocation
page read and write
B1BF779000
stack
page read and write
24991400000
trusted library allocation
page read and write
24990690000
trusted library allocation
page read and write
24991410000
trusted library allocation
page read and write
2499070F000
heap
page read and write
249906FD000
heap
page read and write
249905D0000
heap
page read and write
249913F0000
heap
page readonly
249906FE000
heap
page read and write
24990665000
heap
page read and write
24990669000
heap
page read and write
249904A0000
trusted library allocation
page read and write
B1BF67E000
stack
page read and write
B1BF97B000
stack
page read and write
249906EE000
heap
page read and write
249911A0000
trusted library allocation
page read and write
There are 25 hidden memdumps, click here to show them.