Edit tour

Windows Analysis Report
I Il certificato di firma automatica sta per scadere (1).msg

Overview

General Information

Sample name:	I Il certificato di firma automatica sta per scadere (1).msg
Analysis ID:	1466883
MD5:	1c403dafbb8e3c2f2f9b4fbcc1044fbd
SHA1:	5f5d352f91fb2e29e45aeaa678c492b58b0819b9
SHA256:	f3de3472325dbfb126d3f0f0f34b2c8f58963b40e4bf4917d2495a99b6a35c6d
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected suspicious e-Mail

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 7200 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\I Il certificato di firma automatica sta per scadere (1).msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7736 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "84419986-A25E-468E-B5C2-EC3B88F7684C" "14155098-F4B2-4507-AD22-19D8DBE06F9E" "7200" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7200, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: I Il certificato di firma automatica sta per scadere (1).msg	String found in binary or memory: http://schema.org
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.aadrm.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.cortana.ai
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.office.net
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.onedrive.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://api.scheduler.
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://app.powerbi.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://augloop.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://cdn.entity.
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://clients.config.office.net
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://cortana.ai
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://cortana.ai/api
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://cr.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://d.docs.live.net
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://directory.services.
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ecs.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: I Il certificato di firma automatica sta per scadere (1).msg, ~WRS{99149BF1-2A47-4EF2-8479-CF9469A261FE}.tmp.0.dr	String found in binary or memory: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fselfcare.firma-remota.it%2Fasmonit
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://graph.windows.net
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://graph.windows.net/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://invites.office.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://login.windows.local
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://management.azure.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://management.azure.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://messageuserer.mobile.m365.svc.cloud.microsoft
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://messaging.office.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://officeapps.live.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://onedrive.live.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://outlook.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://outlook.office.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://outlook.office365.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: I Il certificato di firma automatica sta per scadere (1).msg	String found in binary or memory: https://selfcare.firma-remota.it/asmonitor/panel/login
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://service.powerapps.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://settings.outlook.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://substrate.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://tasks.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winMSG@3/15@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240703T0836070734-7200.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\I Il certificato di firma automatica sta per scadere (1).msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "84419986-A25E-468E-B5C2-EC3B88F7684C" "14155098-F4B2-4507-AD22-19D8DBE06F9E" "7200" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "84419986-A25E-468E-B5C2-EC3B88F7684C" "14155098-F4B2-4507-AD22-19D8DBE06F9E" "7200" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected suspicious e-Mail

Source: e-Mail

LLM: Score: 9 Reasons: The email impersonates Microsoft by using the 'Microsoft account team' as the sender name. The subject line creates a sense of urgency with 'Microsoft account unusual sign-in activity'. The email body uses social engineering tactics, warning the recipient about unusual sign-in activity and urging them to review recent activity. The provided URL (https://selfcare.firma-remota.it/asmonitor/panel/login) does not belong to Microsoft and is likely a phishing link designed to steal login credentials.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://api.microsoftstream.com/api/	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messageuserer.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://otelrules.svc.static.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://outlook.office.com/autosuggest/api/v1/init?cvid=	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	Avira URL Cloud	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://api.addins.omex.office.net/api/addins/search	0%	URL Reputation	safe
https://insertmedia.bing.office.net/odc/insertmedia	0%	URL Reputation	safe
https://outlook.office365.com/api/v1.0/me/Activities	0%	URL Reputation	safe
https://api.office.net	0%	URL Reputation	safe
https://incidents.diagnosticssdf.office.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/android/policies	0%	URL Reputation	safe
https://entitlement.diagnostics.office.com	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	0%	URL Reputation	safe
https://substrate.office.com/search/api/v2/init	0%	URL Reputation	safe
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fselfcare.firma-remota.it%2Fasmonit	0%	Avira URL Cloud	safe
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	0%	Avira URL Cloud	safe
https://d.docs.live.net	0%	Avira URL Cloud	safe
https://selfcare.firma-remota.it/asmonitor/panel/login	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://cortana.ai	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://cr.office.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	Avira URL Cloud: safe	unknown
https://messageuserer.mobile.m365.svc.cloud.microsoft	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.scheduler.	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://globaldisco.crm.dynamics.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://selfcare.firma-remota.it/asmonitor/panel/login	I Il certificato di firma automatica sta per scadere (1).msg	true	Avira URL Cloud: safe	unknown
https://d.docs.live.net	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	Avira URL Cloud: safe	unknown
https://safelinks.protection.outlook.com/api/GetPolicy	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	Avira URL Cloud: safe	unknown
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fselfcare.firma-remota.it%2Fasmonit	I Il certificato di firma automatica sta per scadere (1).msg, ~WRS{99149BF1-2A47-4EF2-8479-CF9469A261FE}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://management.azure.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://api.office.net	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnosticssdf.office.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnostics.office.com	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com/search/api/v2/init	C0A2A57E-2974-412F-B9BE-C01D1B595649.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466883
Start date and time:	2024-07-03 14:35:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	I Il certificato di firma automatica sta per scadere (1).msg
Detection:	SUS
Classification:	sus21.winMSG@3/15@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 184.28.90.27, 52.113.194.132, 20.189.173.17, 20.189.173.11
Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, onedscolprdwus22.westus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, onedscolprdwus10.westus.cloudapp.azure.com, s-0005.s-msedge.net, config.officeapps.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: I Il certificato di firma automatica sta per scadere (1).msg

Input	Output
URL: e-Mail Model: gpt-4o	```json{ "riskscore": 9, "brand_impersonated": "Microsoft", "reasons": "The email impersonates Microsoft by using the 'Microsoft account team' as the sender name. The subject line creates a sense of urgency with 'Microsoft account unusual sign-in activity'. The email body uses social engineering tactics, warning the recipient about unusual sign-in activity and urging them to review recent activity. The provided URL (https://selfcare.firma-remota.it/asmonitor/panel/login) does not belong to Microsoft and is likely a phishing link designed to steal login credentials."}

URL: e-Mail Model: gpt-4o

```json{  "riskscore": 9,  "brand_impersonated": "Microsoft",  "reasons": "The email impersonates Microsoft by using the 'Microsoft account team' as the sender name. The subject line creates a sense of urgency with 'Microsoft account unusual sign-in activity'. The email body uses social engineering tactics, warning the recipient about unusual sign-in activity and urging them to review recent activity. The provided URL (https://selfcare.firma-remota.it/asmonitor/panel/login) does not belong to Microsoft and is likely a phishing link designed to steal login credentials."}

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.3800901511464305
Encrypted:	false
SSDEEP:	1536:8HYLizgsraPKJKZxQfgst3NcAz79ysQqt2iqcgqoQLIrcm0Fv7bsym1Xdkzi9EWw:96g2UigemiGu2bqoQMrt0FvnEQTZ7S6b
MD5:	E5DBA724B26BE85C0AA6295B927C51A1
SHA1:	0C6115C8D79F8E23F61FC7AF5965CF9AFAD693FF
SHA-256:	902B8E78FE8DC315ABF5D339A6F2A9011B086F09DEA263F3188D6A78D0EAFA11
SHA-512:	72278CCE48A848C993EBADC97F9449AE074D76C5A5D1C50FCE6241BECE208C8C2A3264B76DAA9A5C347ECAB5E6DD9E23C280C1282A828BA9FF1778D1C6851BCE
Malicious:	false
Reputation:	low
Preview:	TH02...... .P...E.......SM01X...,.......E...........IPM.Activity...........h...............h............H..h..h......d.....h............H..h\bro ...pDat...hP..0.....h....h\a6............h........_`Ck...h.g6.@...I.ew...h....H...8.Hk...0....T...............d.........2h...............k..............!h.............. h.~v.......h...#h....8.........$h........8....."h........0.....'h..x...........1h\a6.<.........0h....4....Hk../h....h.....HkH..h.N..p.....h...-h .......<.h...+h.a6.......h................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
Category:	dropped
Size (bytes):	1869
Entropy (8bit):	5.08714407790419
Encrypted:	false
SSDEEP:	48:cGEdSyr3nzyldyadyoSyrYnzyronzyrZdnzy8ASyedy5JdykkSyO:sdbb2lEaEobE282Nd28AbeEjELbO
MD5:	4B2CE7E32B7794E5C0A834DDF82F3517
SHA1:	2A42DF1EACA994E477CA2A06200F0B050A321D02
SHA-256:	557E594BBB351F371E1D86FD030EBB2C2A1E2CE12D90EFED02B4D572074E6486
SHA-512:	EDB8B6283C93B7B5B5699833DA38FA6384450AFCD5837608F2DA4FFF8A5E656064C9B1E4A0ED0097D43322D1E075968059FC020343C474EFD0F0DFE3DC5C5CA1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos Narrow_26215424</Id><LAT>2024-07-03T12:36:08Z</LAT><key>31558910439.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2024-07-03T12:36:08Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_45876480</Id><LAT>2024-07-03T12:36:08Z</LAT><key>27160079615.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos_26215680</Id><LAT>2024-07-03T12:36:09Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2024-07-03T12:36:08Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2024-07-03T12:36:08Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	JSON data
Category:	dropped
Size (bytes):	521377
Entropy (8bit):	4.9084889265453135
Encrypted:	false
SSDEEP:	3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
MD5:	C37972CBD8748E2CA6DA205839B16444
SHA1:	9834B46ACF560146DD7EE9086DB6019FBAC13B4E
SHA-256:	D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
SHA-512:	02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
Category:	dropped
Size (bytes):	773040
Entropy (8bit):	6.55939673749297
Encrypted:	false
SSDEEP:	12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
MD5:	4296A064B917926682E7EED650D4A745
SHA1:	3953A6AA9100F652A6CA533C2E05895E52343718
SHA-256:	E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
SHA-512:	A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........... OS/29....(...`cmap.s.,.......pglyf..&....\|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N.........!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&..............&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q..................{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...p..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C0A2A57E-2974-412F-B9BE-C01D1B595649

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	174490
Entropy (8bit):	5.289611900071921
Encrypted:	false
SSDEEP:	1536:ri2JfRAqcbH41gwEOLe7HWaM/o//MRcAZl1p5ihs7EXXmEAD2OdaB:Ece7HWaM/o/7XDk2
MD5:	7ED2ECD0AE27F97C6A40468FDDF16118
SHA1:	DC8357CE2DD9ED2B512FA925AC3BC3AB5108A5EE
SHA-256:	1E3FA140C5862A28DA46AEE72A81FC0CCB0D06E339BC17E2530CB3DF1C0B0BFF
SHA-512:	9BF5E2A69192BDFE6D2A9D7B142128B1A7EF8FDE3411434BD891A78D965809ABD420E370AC35785F043FEFA3B0F943D4D82A6ABCCC31A190E977DA29A93A3CDF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-07-03T12:36:09">.. Build: 16.0.17812.40128-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04587332210802959
Encrypted:	false
SSDEEP:	3:GtlxtjlP7kFyi9HYtlxtjlP7kFyilltjR9//8l1lvlll1lllwlvlllglbelDbllb:GtT4lYtT4//9X01PH4l942wU
MD5:	35504F36EB35536FB39175BDB757AF47
SHA1:	3F507CB81DF14EA15F30DD775361E5815907DDF1
SHA-256:	2CEF281A2892A76604712744410ACA4F4E877BB4658BF9D0C35B9F3179DE452F
SHA-512:	5C3E31666B64F0D43947EF9474A98CDA372D0EB3B8875864842716BF3018D9F82850593C258203C2775491BE7E9EB723A0F8581F8F240CC0CD1104D2D0D369DD
Malicious:	false
Reputation:	low
Preview:	..-......................o..y..(..aL.....0R...-......................o..y..(..aL.....0R.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.4822485674530425
Encrypted:	false
SSDEEP:	48:lXQ1OmQlUll7DYM2zO8VFDYMWuBO8VFDYML:yYmtll4djVGbkjVGC
MD5:	DCEDF0A7B2B736198C61E91EA2FFB0F5
SHA1:	E83EBC826E50CA6D331D23F93196CA7B87604B57
SHA-256:	F6BC757F59C0F4A2F88EE28DCE309055EF7AE66B2E58E64CA2C30913A05AA079
SHA-512:	335688179893018A8E7733DADD4F942D0E9D453AD8BC7B2A3C9BAAFA94E997D7B8621B7EC21EA28984C9F5B177F83BBE80E2F3964F7910D78B942485D140CC9A
Malicious:	false
Reputation:	low
Preview:	7....-...........(..aL.w.+.A.e..........(..aL...~.....SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{99149BF1-2A47-4EF2-8479-CF9469A261FE}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	3812
Entropy (8bit):	2.817591701670878
Encrypted:	false
SSDEEP:	48:lbEObGtEbGt444/9DzfouM51kDeXvBIFNvkGNuZLR80aBAYmVO:ZlSt444/9/foDNJIFNcF780aBAYm
MD5:	FA530CB4BC8DDE58B42F0B6A3281788B
SHA1:	4D97F449D3BE433DBDD9C94CED72869299D097D4
SHA-256:	4547282B549D8F736670A6C81FEA2D5DE14EBC238C374C542E93CE118547926F
SHA-512:	97D4BEC645649F43C3D2D2E2AB26476AF3C8A4DA76A8C2E3A7811D66F16C48CBB9F84AC1C0442D9D348C0C60A04658689BAB20EDDF5BC4CF4D9EF5957113FA5E
Malicious:	false
Reputation:	low
Preview:	....G.e.n.t.i.l.i.s.s.i.m.i.,..... .u.n.a. .m.a.i.l. .m.a.l.i.g.n.a. .o. .a.u.t.e.n.t.i.c.a.?...G.r.a.z.i.e.,...G...C....................................................................................................................................................................................................................................................................................................................................................................................................................... ...`...p...z...h...J...N...................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1720010168024256000_9A5CA0B0-39C5-4553-A1A0-3E721EA1AC83.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28772), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.16235307121021994
Encrypted:	false
SSDEEP:	1536:ZZK6zPRDTkv/ka+Vi2GZTZCTlwzf5N8bbcjdJwggjtTBFyjCm2BY:RPRi/kP4w7
MD5:	453BBF9477312B7326B1947A4235627F
SHA1:	EF2EB50E7A8775A81B7054791B20EACC8B26B942
SHA-256:	9547628C9089AE6B13B95CB6218A56092C06FD49D38533A916DB72AE44799475
SHA-512:	84C097F047ECA973572E5D71FECCB17B11524B00E9D571522FF8EEAC513B46788CEA9A6C0D521584995162A03F7DFFA49AF17EA6C2BFEA6CCB77FCD5A3390B21
Malicious:	false
Reputation:	low
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..07/03/2024 12:36:08.094.OUTLOOK (0x1C20).0x1C1C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-07-03T12:36:08.094Z","Contract":"Office.System.Activity","Activity.CV":"sKBcmsU5U0WhoD5yHqGsgw.4.9","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...07/03/2024 12:36:08.109.OUTLOOK (0x1C20).0x1C1C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-07-03T12:36:08.109Z","Contract":"Office.System.Activity","Activity.CV":"sKBcmsU5U0WhoD5yHqGsgw.4.10","Activity.Duration":12407,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1720010168025803800_9A5CA0B0-39C5-4553-A1A0-3E721EA1AC83.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240703T0836070734-7200.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	4.455497348251932
Encrypted:	false
SSDEEP:	768:Lv6rGqs9nMyqO2ji5reZGO+DMbmk0uh+KuSQ4bfzFHFPl9iX1bYB7xZ4FWOvr2aZ:Nc4hM9BEl3XWt00m
MD5:	AABD8460EEBB991902C47DE1FE6E553D
SHA1:	7C4F55DF7707C243E1CBA86DF3D402620D04ADF1
SHA-256:	42EDF97D37599DF0A1079D10970E9307BB9A69F8615D0345FD025879603203CA
SHA-512:	291583DA6F365167D9726E4E61A5798AAEE9ACC364EB5262D1243803F6D0C0AFDAEA96D98F2FF52ACD0E3A52AA43135D05622D631640CB450A30662FAF4E25F8
Malicious:	false
Preview:	............................................................................`....... ......E...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................./.i..............E...........v.2._.O.U.T.L.O.O.K.:.1.c.2.0.:.0.8.e.c.e.1.b.a.a.7.f.b.4.f.8.2.9.a.e.b.7.a.0.8.f.d.5.2.9.4.2.3...C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.7.0.3.T.0.8.3.6.0.7.0.7.3.4.-.7.2.0.0...e.t.l.......P.P..... ...v..E...........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2777870290E0476C.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.4650508976522621
Encrypted:	false
SSDEEP:	192:g31rVy7Fr8rN/1IzAyoNhnhMoa1nUIAbA7MrM4ELIwqiqjAqZNgiXHWQOu9N7/:6ny+pSknn0FUIMMMrM4YqiqjeiXHOu
MD5:	6725C7492022DDEF1E883EB8BD3B2AB3
SHA1:	D7507EA58C7E90425D9434BBDFEB3672DDF8A473
SHA-256:	4357C253E14ADF675541EE15D595B5FEC374502DF283899AB6EC3268B98D1BC2
SHA-512:	27C19E28D55068B91B76A11E5AA1ED824AAF4F782CAA07EA513455417AA8283657BBEA5DC6548CD2EF8F71D33E0502E11CF162154876A4B530A17510356CFBEC
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:O0Z:O
MD5:	0D5FA69AE9E7EC068755550CCD6E6FF4
SHA1:	1A153992C7322CA4F4B398617AB093D438E7395D
SHA-256:	6508EE02EDB30457C8C286E122DED84245D8EFDF614EDFC71756376279F38273
SHA-512:	0C67E2AD6C80E280962BA1F5370AB5E3372058107BF6BC0EC1B410BF9839CBEB6EAAD5E2FCCDDB0C2E569ED9ABE9C6481034F229A6F266FFF80593652E2BFCC2
Malicious:	false
Preview:	..............................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	1.2905501780594537
Encrypted:	false
SSDEEP:	768:QJQccq95kPTvh529DyJvbcy/t18CGQ7WYtNVTIVb5Lp:fYaPTTyDyJgy/8ktgVFL
MD5:	DD6E2851EE40BBE73B3760B6756E7189
SHA1:	B2139A842F63CA1988731750A71F7A60CB67303A
SHA-256:	38791432F9223F060205DDD2E103F9C5050E8CF72A2627F0D28362F3D0D0ED46
SHA-512:	B25DEA1E46D08F0D999EE96D806D5FC241C1FB7EFC5647A04E823F2BCAAB96D2DCEC7180DAA41021D84D4D8D5B8222EAFEA2E2743D1CA7DD47EAFF993997F27D
Malicious:	false
Preview:	!BDN.[..SM......\.......................U................@...........@...@...................................@...........................................................................$.......D.......T..........................................................................................................................................................................................................................................................................................................................@........47..8......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.9684022637995517
Encrypted:	false
SSDEEP:	384:GoiyJ3Q47w57vibhDc16yHWO+9OQD3rGtPV:GoiyJgzNoGFpX
MD5:	56594767A3A7097C53DDC314C604E74F
SHA1:	EF03AA83547F4CF07D0CAEFA85759E3E07D4F575
SHA-256:	EE0078FF081B9F13B1EC9EA57E17427BD9C5C23847B4A6C2A3A8AEE7AA9E9A7C
SHA-512:	A9D518A54B16F9EF5B1A90A23ACE200C29BAB646556292DE7351A789ACB724506D7D78D40A3F8AD860DA7C6168E0AB556D7787EE4253A73FCA0445691D5F9689
Malicious:	false
Preview:	./..C...Z....... ...S.E.....................#.!BDN.[..SM......\.......................U................@...........@...@...................................@...........................................................................$.......D.......T..........................................................................................................................................................................................................................................................................................................................@........47..8..S.E........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	3.772090454805211
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	I Il certificato di firma automatica sta per scadere (1).msg
File size:	78'336 bytes
MD5:	1c403dafbb8e3c2f2f9b4fbcc1044fbd
SHA1:	5f5d352f91fb2e29e45aeaa678c492b58b0819b9
SHA256:	f3de3472325dbfb126d3f0f0f34b2c8f58963b40e4bf4917d2495a99b6a35c6d
SHA512:	9a09f58800e09c0f02a5331619ca0ba6a3de17b5fbf2505f8b4b28f5202db16b61090bbd0263533b81510c49c9a9eea55e331f074bded41a3660c3cad8a44962
SSDEEP:	768:KYgUqTg6ysGQxcK4pYt0ul19nWsKlWXKJWsK9WsKlWfgmGgRRboADN6194KEWsKO:TIOFQUu1W9WkWVW9WPWQqtO7i
TLSH:	EA73D22439F94615F2B7DF714BE290978536FC92AD24CA8F3191734E0673A81AC61B3B
File Content Preview:	........................>...................................#..................................................................................................................................................................................................

Static Mail

General

Subject:	I: Il certificato di firma automatica sta per scadere
From:	Chiappiniello Giovanni <giovanni.chiappiniel@avvocaturastato.it>
To:	Assistenza Tecnica <assistenza.tecnica@avvocaturastato.it>
Cc:
BCC:
Date:	Tue, 02 Jul 2024 19:13:26 +0200
Communications:	Gentilissimi, una mail maligna o autentica? Grazie, G.C. ________________________________ Da: comunicazioni@firma-automatica.it <comunicazioni@firma-automatica.it> Inviato: venerd 28 giugno 2024 08:05 A: Chiappiniello Giovanni <giovanni.chiappiniel@avvocaturastato.it> Oggetto: Il certificato di firma automatica sta per scadere Gentile cliente, la informiamo che ha ancora pochi giorni per rinnovare il suo certificato di firma automatica che scadr il 01/07/2024. Rinnovi subito accedendo al pannello selfcare e firmando il modulo di rinnovo. https://selfcare.firma-remota.it/asmonitor/panel/login <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fselfcare.firma-remota.it%2Fasmonitor%2Fpanel%2Flogin&data=05%7C02%7Cassistenza.tecnica%40avvocaturastato.it%7C546271faa96f4989199008dc9aba4983%7C5898f550e67344f9bff73fc0f3ed972e%7C0%7C0%7C638555372084836788%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=dEq0ce9K3uXkkuIiFMTSpx0L24g%2BPnwdo%2BrWGsFgoGM%3D&reserved=0> IMPORTANTE Dopo la scadenza del certificato non sar pi possibile eseguire il rinnovo ma sar necessario richiedere all'amministratore la generazione di un nuovo certificato. DETTAGLI FIRMA AUTOMATICA IN SCADENZA Codice Fiscale associato al certificato: CHPGNN89S06H501Z Data scadenza certificato di firma: 01/07/2024 Cordiali Saluti =================================== Servizio Firma Automatica ===================================
Attachments:

Headers

Key	Value
Received	from VI1PR0402MB3536.eurprd04.prod.outlook.com
17	13:26 +0000
Authentication-Results	dkim=none (message not signed)
by PR3PR04MB7356.eurprd04.prod.outlook.com (2603	10a6:102:8d::10) with
2024 17	13:26 +0000
([fe80	:1aac:fbd5:ceee:50fb%4]) with mapi id 15.20.7698.025; Tue, 2 Jul 2024
Content-Type	application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding	binary
From	Chiappiniello Giovanni <giovanni.chiappiniel@avvocaturastato.it>
To	Assistenza Tecnica <assistenza.tecnica@avvocaturastato.it>
Subject	I: Il certificato di firma automatica sta per scadere
Thread-Topic	Il certificato di firma automatica sta per scadere
Thread-Index	AQHaySEuN+TbYXLJ0UagrxyUCL/ZwLHjs/Wz
Date	Tue, 2 Jul 2024 17:13:26 +0000
Message-ID	<VI1PR0402MB3536F0609325BB7556EDBC87FFDC2@VI1PR0402MB3536.eurprd04.prod.outlook.com>
References	<343678883.49949.1719554726862.JavaMail.tomcat@firmaaprov01.ca.actalis.it>
In-Reply-To	<343678883.49949.1719554726862.JavaMail.tomcat@firmaaprov01.ca.actalis.it>
Accept-Language	it-IT, en-US
Content-Language	it-IT
X-MS-Has-Attach	X-MS-Exchange-Organization-SCL: 1
X-MS-TNEF-Correlator	<VI1PR0402MB3536F0609325BB7556EDBC87FFDC2@VI1PR0402MB3536.eurprd04.prod.outlook.com>
msip_labels	MIME-Version: 1.0
X-MS-Exchange-Organization-MessageDirectionality	Originating
X-MS-Exchange-Organization-AuthSource	VI1PR0402MB3536.eurprd04.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Internal
X-MS-Exchange-Organization-AuthMechanism	04
X-MS-Exchange-Organization-Network-Message-Id	546271fa-a96f-4989-1990-08dc9aba4983
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	VI1PR0402MB3536:EE_\|PR3PR04MB7356:EE_\|AS8PR04MB9175:EE_
Return-Path	giovanni.chiappiniel@avvocaturastato.it
X-MS-Exchange-Organization-ExpirationStartTime	02 Jul 2024 17:13:26.9916
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Office365-Filtering-Correlation-Id	546271fa-a96f-4989-1990-08dc9aba4983
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-Microsoft-Antispam	BCL:0;ARA:13230040\|366016\|41050700001;
X-Forefront-Antispam-Report	CIP:255.255.255.255;CTRY:;LANG:it;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VI1PR0402MB3536.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(41050700001);DIR:INT;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	02 Jul 2024 17:13:26.7433
X-MS-Exchange-CrossTenant-FromEntityHeader	Hosted
X-MS-Exchange-CrossTenant-Id	5898f550-e673-44f9-bff7-3fc0f3ed972e
X-MS-Exchange-CrossTenant-AuthSource	VI1PR0402MB3536.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Internal
X-MS-Exchange-CrossTenant-Network-Message-Id	546271fa-a96f-4989-1990-08dc9aba4983
X-MS-Exchange-CrossTenant-MailboxType	HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName	XiVsCG5t808xNOcnIaxCykVFbEK6vEZ3beZHPsEq6MAfPt7kuxAxJO5njC/rEy5Jj+2WXqEt0slKhOQUcvcHzfigG8ixpJxMNP6VjSuR9vnvYFu+R3b6rIWmzaDSOb4Q
X-MS-Exchange-Transport-CrossTenantHeadersStamped	PR3PR04MB7356
X-MS-Exchange-Transport-EndToEndLatency	00:00:01.5198220
X-MS-Exchange-Processed-By-BccFoldering	15.20.7698.013
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	U3TyyWfp9uYGAR1nbUvjuqgvBn5YU9gWyZyvljUXhL/EcXvX4Y0L0S+cQmbg6yYhW9vFW54w8wehpPr58UeT6FXAkqIhvvYA8x6a99VuGkHJnf6XiOGYK4HJOlxV8Hhdp2vbG/NeJqcJGIfVSnFMpqLxxAoktjw9HoTh+JyqUhGvEbsp4K37+E1OaNfp9IFNbhxX10+LNkzzbBGe5WQD1MtLdaoRwie6O2wSvStf54cluye654om7eXT0xHvS5ipltplb1jxDrt4/9R1x1OWuH3YXDODegf0QT8oQY87LmcmQhWsOheoVjbgsE1pdoaFXvxAIlTuNYpJJx18MjlNQ+bKn34dX82CiMm1kdpYHEWdYTCwKFOvc74jf3oiRjkEMELS1J9lfkA+y0ocQsabBL5BR0Y0m8HhxNPOxhyfvK8ApebCWCuQMXcUnjD+pmCJrM/zF0jOMQ46hTpkqYBVc/O+Pm0yB/TLaysabfuHMAWovDCWgwpNklmy1r3rykdeZN96h+1V9ClLtxxQqEmoDHSrVtWdQsHv2/9kVnah08jjX6tYnRp2DfAC/qNaFY/SGTzzBg7RIYd76c/KI2JRsXICHLirqEJwzd39JaXldNebICEeF6bCBxldNRjwOygyJLvUGss362wl1XyjbQmTlYKqmX76QMkdBNnk1ujGpm8k4plEpczvyV7pxIfhMw1PBPw2WCNK+V5j1nYAltSWU3kXeCtvh7iL/VQDzjpM4xuV4DcJkWVpwYUxHDRPCzevMZVa+eFlEstoxVLzJRsniNuPeDd/kxmTw7/jM0RbVFcqZId64Vftx6jNO4tNefOSfoIhplJnDmJzC4Xuwrk+dg==
date	Tue, 02 Jul 2024 19:13:26 +0200

File Icon


Icon Hash:	c4e1928eacb280a2

Target ID:	0
Start time:	08:36:07
Start date:	03/07/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\I Il certificato di firma automatica sta per scadere (1).msg"
Imagebase:	0x790000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:36:09
Start date:	03/07/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "84419986-A25E-468E-B5C2-EC3B88F7684C" "14155098-F4B2-4507-AD22-19D8DBE06F9E" "7200" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff7780f0000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report I Il certificato di firma automatica sta per scadere (1).msg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C0A2A57E-2974-412F-B9BE-C01D1B595649

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{99149BF1-2A47-4EF2-8479-CF9469A261FE}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1720010168024256000_9A5CA0B0-39C5-4553-A1A0-3E721EA1AC83.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1720010168025803800_9A5CA0B0-39C5-4553-A1A0-3E721EA1AC83.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240703T0836070734-7200.etl

C:\Users\user\AppData\Local\Temp\~DF2777870290E0476C.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
I Il certificato di firma automatica sta per scadere (1).msg