Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ALERT Home Network Breaches.msg

CDFV2 Microsoft Outlook Message

initial sample

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Microsoft Outlook email folder (>=2003)

dropped

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0f3e10bf-0d28-4c94-8d91-4561f795d906.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1778f9f2-db4a-4d4b-bd01-00c3979c4a45.tmp

JSON data

modified

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\42590f2e-bbdc-4a86-8ab8-a22a956f52c4.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\5c69cb54-c82c-4186-8424-927165d04416.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9ae2d255-8deb-4917-8c5a-18814d4cb829.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\2e13e658-bfec-40b6-9876-6848ed7cc5b2.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-671B34EB-1A34.pma

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-671B34EC-C14.pma

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\016ed235-95a4-455b-bed0-b67b4f3d070b.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\1949da5f-e25b-48a6-809f-26ad33290a66.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\21c42e78-8783-4cdc-b097-c463441298b2.tmp

JSON data

modified

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\4c8faf52-546a-413f-85df-9bea2e9ca82e.tmp

ASCII text, with very long lines (1597), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\7248c957-3dd1-4888-a66e-e7051a7ed343.tmp

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000001.dbtmp

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000003.log

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

OpenPGP Secret Key

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000003.log

data

modified

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DIPS

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DashTrackerDatabase

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 6

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

OpenPGP Secret Key

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\domains_config.json

JSON data

modified

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History

SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HubApps (copy)

ASCII text, with very long lines (1597), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HubApps Icons

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 12, cookie 0x3, schema 4, UTF-8, version-valid-for 7

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\60e8921e-53e2-4f2d-a909-6c81d9255bcf.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\9de25ede-6543-471a-ae2c-fbdaf2cfe2f1.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NEL

SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6

modified

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF35bec.TMP (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF36c86.TMP (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\d71a97b2-a8e8-4f1e-9484-fa25f5304aad.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\e5195718-9f8b-4844-b162-ccc4ff17f174.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing\campaign_history

SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF3ec55.TMP (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RF3bf3a.TMP (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13374309871087586

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\4ffe996e-2673-47e6-a450-56ed0da17f29.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports~RF36c86.TMP (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\a2181d1f-ce78-4bb6-810a-bf3c65ea97f8.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\c90b490e-bce1-48bd-8971-14652a9013f0.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 91, cookie 0x36, schema 4, UTF-8, version-valid-for 9

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\QuotaManager

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 10, cookie 0x7, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\a08bbaef-8390-423e-a446-495430f819a8.tmp

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\a82475a1-4244-4314-87df-7ea03ddf0d8d.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\arbitration_service_config.json

ASCII text, with very long lines (3951), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x4, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF34edc.TMP (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF34eec.TMP (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35082.TMP (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37735.TMP (copy)

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C67F0828-8674-4A66-98EE-C34850BAD5E6

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

SQLite Write-Ahead Log, version 3007000

dropped

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

data

dropped

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

data

dropped

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\BCYP2J7W\email.mht

MIME entity, ASCII text, with very long lines (847), with CRLF line terminators

modified

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{78259087-DB0F-4948-A79C-018FFF52B249}.tmp

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\Xc2F5Q2MvV1JEczJGT0JwRHVOc1JBNERpQnFENVFUa0lxL1VnalhLZmNtd3cxbW01Z1VROVV4YmlDYlFpSTNmODJCUnJvZ2dJNThnTVZjUTFwUXJ0NGEzSEVCZG11ODN5WjcveHJBZ3RWVmV5RFNEMlA4YVVSZz09LS13aDdBWGZMQUZaZ[1].gif

GIF image data, version 89a, 1 x 1

dropped

C:\Users\user\AppData\Local\Temp\62008c54-ecb4-426b-a0c8-1c3948ae0a79.tmp

JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1366x720, components 3

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729836197523610800_1CBAFB44-F855-4BB0-8601-F13F1D08E1C0.log

ASCII text, with very long lines (28767), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729836197524441400_1CBAFB44-F855-4BB0-8601-F13F1D08E1C0.log

data

dropped

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241025T0203160998-7220.etl

data

dropped

C:\Users\user\AppData\Local\Temp\a5f63498-e11d-4eb1-bc18-9913b14bb7b6.tmp

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\cv_debug.log

JSON data

dropped

C:\Users\user\AppData\Local\Temp\f464ed56-e226-40a8-bbf7-831c9881aa70.tmp

Google Chrome extension, version 3

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\128.png

PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\af\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\am\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ar\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\az\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\be\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\bg\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\bn\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ca\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\cs\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\cy\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\da\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\de\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\el\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\en\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\en_CA\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\en_GB\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\en_US\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\es\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\es_419\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\et\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\eu\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\fa\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\fi\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\fil\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\fr\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\fr_CA\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\gl\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\gu\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\hi\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\hr\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\hu\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\hy\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\id\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\is\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\it\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\iw\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ja\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ka\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\kk\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\km\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\kn\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ko\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\lo\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\lt\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\lv\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ml\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\mn\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\mr\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ms\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\my\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ne\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\nl\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\no\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\pa\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\pl\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\pt_BR\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\pt_PT\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ro\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ru\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\si\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\sk\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\sl\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\sr\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\sv\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\sw\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ta\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\te\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\th\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\tr\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\uk\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\ur\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\vi\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\zh_CN\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\zh_HK\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\zh_TW\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_locales\zu\messages.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\_metadata\verified_contents.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\dasherSettingSchema.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\manifest.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\offscreendocument.html

HTML document, ASCII text

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\offscreendocument_main.js

ASCII text, with very long lines (3700)

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\page_embed_script.js

ASCII text

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\CRX_INSTALL\service_worker_bin_prod.js

ASCII text, with very long lines (3705)

dropped

C:\Users\user\AppData\Local\Temp\scoped_dir3092_2090067678\f464ed56-e226-40a8-bbf7-831c9881aa70.tmp

Google Chrome extension, version 3

dropped

C:\Users\user\AppData\Local\Temp\~DF78330AC496E4C2A9.TMP

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

data

dropped

There are 206 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\ALERT Home Network Breaches.msg"

Details

Is windows:	true
Is dropped:	false
PID:	7220
Target ID:	0
Parent PID:	4056
Name:	OUTLOOK.EXE
Class:	outlook
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\ALERT Home Network Breaches.msg"
Size:	34446744
MD5:	91A5292942864110ED734005B7E005C0
Time:	02:03:13
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x9f0000
Modulesize:	34492416
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Office Autorun Keys Modification	System Summary
Sigma detected: Outlook Security Settings Updated - Registry	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A24419E8-483F-4BAD-AFA0-862110806469" "21090EE9-A3D3-48F4-85F1-1F3FE46118D9" "7220" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Details

Is windows:	true
Is dropped:	false
PID:	3672
Target ID:	3
Parent PID:	7220
Name:	ai.exe
Class:	office
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A24419E8-483F-4BAD-AFA0-862110806469" "21090EE9-A3D3-48F4-85F1-1F3FE46118D9" "7220" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Size:	710048
MD5:	EC652BEDD90E089D9406AFED89A8A8BD
Time:	02:03:19
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d9760000
Modulesize:	737280
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\BCYP2J7W\email.mht

Details

Is windows:	true
Is dropped:	false
PID:	6708
Target ID:	8
Parent PID:	7220
Name:	msedge.exe
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\BCYP2J7W\email.mht
Size:	4210216
MD5:	69222B8101B0601CC6663F8381E7E00F
Time:	02:04:27
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7fb980000
Modulesize:	4308992
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2088,i,16850093930292560535,15653450575445614346,262144 /prefetch:3

Details

Is windows:	true
Is dropped:	false
PID:	5864
Target ID:	9
Parent PID:	6708
Name:	msedge.exe
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2088,i,16850093930292560535,15653450575445614346,262144 /prefetch:3
Size:	4210216
MD5:	69222B8101B0601CC6663F8381E7E00F
Time:	02:04:28
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7fb980000
Modulesize:	4308992
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\BCYP2J7W\email.mht

Details

Is windows:	true
Is dropped:	false
PID:	3092
Target ID:	10
Parent PID:	4056
Name:	msedge.exe
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\BCYP2J7W\email.mht
Size:	4210216
MD5:	69222B8101B0601CC6663F8381E7E00F
Time:	02:04:28
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7fb980000
Modulesize:	4308992
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=2092,i,12356907861750496289,10950647450928371528,262144 /prefetch:3

Details

Is windows:	true
Is dropped:	false
PID:	7856
Target ID:	11
Parent PID:	3092
Name:	msedge.exe
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=2092,i,12356907861750496289,10950647450928371528,262144 /prefetch:3
Size:	4210216
MD5:	69222B8101B0601CC6663F8381E7E00F
Time:	02:04:28
Date:	25/10/2024
Reason:	newprocess
Reputation:	timeout
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7fb980000
Modulesize:	4308992
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5180 --field-trial-handle=2092,i,12356907861750496289,10950647450928371528,262144 /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	7784
Target ID:	15
Parent PID:	3092
Name:	msedge.exe
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5180 --field-trial-handle=2092,i,12356907861750496289,10950647450928371528,262144 /prefetch:8
Size:	4210216
MD5:	69222B8101B0601CC6663F8381E7E00F
Time:	02:04:32
Date:	25/10/2024
Reason:	newprocess
Reputation:	timeout
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7fb980000
Modulesize:	4308992
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6800 --field-trial-handle=2092,i,12356907861750496289,10950647450928371528,262144 /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	7872
Target ID:	16
Parent PID:	3092
Name:	msedge.exe
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6800 --field-trial-handle=2092,i,12356907861750496289,10950647450928371528,262144 /prefetch:8
Size:	4210216
MD5:	69222B8101B0601CC6663F8381E7E00F
Time:	02:04:32
Date:	25/10/2024
Reason:	newprocess
Reputation:	timeout
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7fb980000
Modulesize:	4308992
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://duckduckgo.com/chrome_newtab

unknown

https://shell.suite.office.com:1443

unknown

https://duckduckgo.com/ac/?q=

unknown

https://designerapp.azurewebsites.net

unknown

https://autodiscover-s.outlook.com/

unknown

https://useraudit.o365auditrealtimeingestion.manage.office.com

unknown

https://outlook.office365.com/connectors

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr

unknown

https://cdn.entity.

unknown

https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/

unknown

https://rpsticket.partnerservices.getmicrosoftkey.com

unknown

https://lookup.onenote.com/lookup/geolocation/v1

unknown

https://deff.nelreports.net/api/report?cat=msn

unknown

https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile

unknown

https://docs.google.com/

unknown

https://api.aadrm.com/

unknown

https://www.youtube.com

unknown

https://canary.designerapp.

unknown

https://www.instagram.com

unknown

https://www.yammer.com

unknown

https://temp.farenheit.net/Xc2F5Q2MvV1JEczJGT0JwRHVOc1JBNERpQnFENVFUa0lxL1VnalhLZmNtd3cxbW01Z1VROVV4

unknown

https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies

unknown

https://api.microsoftstream.com/api/

unknown

https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive

unknown

https://cr.office.com

unknown

https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge

unknown

https://messagebroker.mobile.m365.svc.cloud.microsoft

unknown

https://otelrules.svc.static.microsoft

unknown

https://outlook.office.com/mail/compose?isExtension=true

unknown

https://edge.skype.com/registrar/prod

unknown

https://i.y.qq.com/n2/m/index.html

unknown

https://www.deezer.com/

unknown

https://res.getmicrosoftkey.com/api/redemptionevents

unknown

https://tasks.office.com

unknown

https://officeci.azurewebsites.net/api/

unknown

https://temp.farenheit.net/XL1VkZE1FVGZjL0VwUUt5cWc4dkk1SWpqVFFTM=

unknown

https://web.telegram.org/

unknown

https://my.microsoftpersonalcontent.com

unknown

https://store.office.cn/addinstemplate

unknown

https://temp.farenheit.net/XU2xieHFTWW1FTWhNM2h4S2tlSXV

unknown

https://edge.skype.com/rps

unknown

https://drive-daily-2.corp.google.com/

unknown

https://messaging.engagement.office.com/

unknown

https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://www.odwebp.svc.ms

unknown

https://api.powerbi.com/v1.0/myorg/groups

unknown

https://web.microsoftstream.com/video/

unknown

https://api.addins.store.officeppe.com/addinstemplate

unknown

https://drive-daily-1.corp.google.com/

unknown

https://graph.windows.net

unknown

https://excel.new?from=EdgeM365Shoreline

unknown

https://drive-daily-5.corp.google.com/

unknown

https://bzib.nelreports.net/api/report?cat=bingbusiness

unknown

https://consent.config.office.com/consentcheckin/v1.0/consents

unknown

https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices

unknown

https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json

unknown

https://d.docs.live.net

unknown

https://safelinks.protection.outlook.com/api/GetPolicy

unknown

https://ncus.contentsync.

unknown

https://drive-preprod.corp.google.com/

unknown

https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/

unknown

http://weather.service.msn.com/data.aspx

unknown

https://bard.google.com/

unknown

https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios

unknown

https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml

unknown

https://mss.office.com

unknown

https://pushchannel.1drv.ms

unknown

https://wus2.contentsync.

unknown

https://clients.config.office.net/user/v1.0/ios

unknown

https://api.addins.omex.office.net/api/addins/search

unknown

https://www.office.com

unknown

https://outlook.live.com/mail/0/

unknown

https://outlook.office365.com/api/v1.0/me/Activities

unknown

https://clients.config.office.net/user/v1.0/android/policies

unknown

https://entitlement.diagnostics.office.com

unknown

https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json

unknown

https://outlook.office.com/

unknown

https://tidal.com/

unknown

https://storage.live.com/clientlogs/uploadlocation

unknown

https://gaana.com/

unknown

https://login.microsoftonline.com

unknown

https://substrate.office.com/search/api/v1/SearchHistory

unknown

https://outlook.live.com/mail/compose?isExtension=true

unknown

https://clients.config.office.net/c2r/v1.0/InteractiveInstallation

unknown

https://service.powerapps.com

unknown

https://graph.windows.net/

unknown

https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true

unknown

https://devnull.onenote.com

unknown

https://messaging.office.com/

unknown

https://latest.web.skype.com/?browsername=edge_canary_shoreline

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing

unknown

https://skyapi.live.net/Activity/

unknown

https://word.new?from=EdgeM365Shoreline

unknown

https://api.cortana.ai

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://messaging.action.office.com/setcampaignaction

unknown

https://mail.google.com/mail/mu/mp/266/#tl/Inbox

unknown

https://visio.uservoice.com/forums/368202-visio-on-devices

unknown

https://staging.cortana.ai

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

ssl.bingadsedgeextension-prod-europe.azurewebsites.net

94.245.104.56

s-part-0015.t-0009.t-msedge.net

13.107.246.43

s-part-0017.t-0009.t-msedge.net

13.107.246.45

googlehosted.l.googleusercontent.com

142.250.186.65

sni1gl.wpc.nucdn.net

152.199.21.175

s-part-0032.t-0009.t-msedge.net

13.107.246.60

landing.training.knowbe4.com

3.221.165.56

clients2.googleusercontent.com

unknown

bzib.nelreports.net

unknown

temp.farenheit.net

unknown

171.39.242.20.in-addr.arpa

unknown

There are 1 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

13.107.246.43

s-part-0015.t-0009.t-msedge.net

United States

94.245.104.56

ssl.bingadsedgeextension-prod-europe.azurewebsites.net

United Kingdom

192.168.2.7

unknown

Details

IP:	192.168.2.7
TargetID:	10
Current Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Detected non-DNS traffic on DNS port	Networking
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

3.221.165.56

landing.training.knowbe4.com

United States

Details

IP:	3.221.165.56
TargetID:	0
Current Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Country:	United States
Countrycode:	USA
ASN number:	14618
ASN name:	AMAZON-AESUS
Private:	false
Domain:	landing.training.knowbe4.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

239.255.255.250

unknown

Reserved

142.250.186.65

googlehosted.l.googleusercontent.com

United States

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

000b046b

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9207f3e0a3b11019908b08002b2a56c2

11023d05

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

00030429

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

CantBootResolution

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

ProfileBeingOpened

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

BootDiagnosticsLogFile

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics

OutlookBootFlag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

$!>

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

ProfileBeingOpened

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings

Accounts

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Licensing

EligibleForExtendedGrace

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Wizards

PageSize

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings

Template

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

WMACUpdated

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Options

DefaultKerningLigatures

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\1e\417C44EB

@%SystemRoot%\system32\mlang.dll,-4608

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

BootDiagnosticsLogFile

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

CantBootResolution

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings\Data

global_AccountSignaturesDialogOpen

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

h->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\ColleagueImport.ColleagueImportAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\Microsoft.VbaAddinForOutlook.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

(.>

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

7.>

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OscAddin.Connect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

7.>

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

'.>

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\UmOutlookAddin.FormRegionAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

'.>

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

'.>

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

'.>

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

6.>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings\Data

global_AccountsNeedResyncingWithOwnershipV5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings\Data

global_AccountsNeedResyncingWithOwnershipV4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings\Data

global_AccountsNeedResyncingWithOwnershipV3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings\Data

global_AccountsNeedResyncingWithOwnership

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar

WorkDay

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018C00FD39F4CA9

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Volatile

MsaDevice

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security

OutlookSecureTempFolder

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Logging

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\Usage

OutlookMAPI2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\outlook

EcsRequestPending

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7220

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage

OutlookMAPI2Intl_1033

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Exchange\Forms Registry

CacheSyncCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7220

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\ColleagueImport.ColleagueImportAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

ColleagueImport.ColleagueImportAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\OneNote.OutlookAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Display Types\Balloons

HWND64ForOrphanedNotIcon

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

OneNote.OutlookAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\OscAddin.Connect

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

OscAddin.Connect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\UCAddin.LyncAddin.1

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

UCAddin.LyncAddin.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\UmOutlookAddin.FormRegionAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

UmOutlookAddin.FormRegionAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7220

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

FilePath

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

StartDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

EndDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook

ETag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Search\Catalog

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings

Accounts

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon

state

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty

StatusCodes

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty

StatusCodes

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon

state

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics

user_experience_metrics.stability.exited_cleanly

HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}

freseenversion

HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}

freseen

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Defaults

is_dse_recommended

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Defaults

is_startup_page_recommended

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\198100

WindowTabManagerFileMappingId