Windows
Analysis Report
Potential case.msg
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64_ra
- OUTLOOK.EXE (PID: 1212 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /f "C:\Users \user\Desk top\Potent ial case.m sg" MD5: 91A5292942864110ED734005B7E005C0) - ai.exe (PID: 6300 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "57B 5CA36-1F39 -4B75-A120 -D942A4584 BF5" "D748 7505-4B59- 460F-99E2- C18C5A1314 E0" "1212" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
- cleanup
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Modify Registry | LSASS Memory | 12 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1430846 |
Start date and time: | 2024-04-24 09:57:40 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Potential case.msg |
Detection: | CLEAN |
Classification: | clean1.winMSG@3/16@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 72.21.81.240, 52.113.194.132, 52.109.0.140, 23.219.38.34, 23.219.38.42, 20.42.73.27
- Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, osiprod-wus-buff-azsc-000.westus.cloudapp.azure.com, wu.azureedge.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, wus-azsc-000.roaming.officeapps.live.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, wu.ec.azureedge.net, us2.roaming1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, wu-bg-shim.trafficmanager.net, onedscolprdeus12.eastus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 231348 |
Entropy (8bit): | 4.393501093965851 |
Encrypted: | false |
SSDEEP: | 1536:p1YLhWgsdjk2wUJWDgsmtNcAz79ysQqt2tnTtqoQ4brcm0FvlL+yp+UW3mmVT5Kx:44gmXUg1miGu2LqoQIrt0FvPXhktXBcb |
MD5: | 5C0ABF271CF9FDE1EAB49209C3FE158A |
SHA1: | FC6C91CA394387A793EF84126F25C1EEF4BAC76E |
SHA-256: | 7B1B38C8FC037D7F64596E809B2B192449F633DA4F23B97D750D1849023D6ABA |
SHA-512: | 6D976EF4B082DB73B0CACB9F252F199322A389C337ED09583B8E97FAEE1AA932B11722B3F96529BDA6577A5A22A43EBBC220986CA8E97C4EB9C58C1BCC2B5D9D |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 322260 |
Entropy (8bit): | 4.000299760592446 |
Encrypted: | false |
SSDEEP: | 6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl |
MD5: | CC90D669144261B198DEAD45AA266572 |
SHA1: | EF164048A8BC8BD3A015CF63E78BDAC720071305 |
SHA-256: | 89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899 |
SHA-512: | 16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 10 |
Entropy (8bit): | 2.7219280948873625 |
Encrypted: | false |
SSDEEP: | 3:L96T:54 |
MD5: | A5A6666B1BDECDD7B652101F96A26039 |
SHA1: | 154193DC23B45B1A1CFC4B3CF53795959322DCDA |
SHA-256: | 578F72E3ADCC5E21EDD26B995001BC4E99E548B7104ECE8D4ADAEBFDB675273B |
SHA-512: | F05FBBF036EE4104BD49F5CAC13C128E72369535A5C1E495E3AA9647B5559FB274232F526D9086DE8B9D79F36B739293EA8345F0A0FFBAC181D34C9B806AEA8B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 0.09216609452072291 |
Encrypted: | false |
SSDEEP: | 3:lSWFN3l/klslpF/4llfll:l9F8E0/ |
MD5: | F138A66469C10D5761C6CBB36F2163C3 |
SHA1: | EEA136206474280549586923B7A4A3C6D5DB1E25 |
SHA-256: | C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6 |
SHA-512: | 9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4616 |
Entropy (8bit): | 0.13760166725504608 |
Encrypted: | false |
SSDEEP: | 3:7FEG2l+LlK/FllkpMRgSWbNFl/sl+ltlslVlllfllT:7+/lWlSg9bNFlEs1EP/D |
MD5: | C33962C15F3DCB242159333C4B479036 |
SHA1: | E524774FEE472B5ADD541A2624D4D16AB6B695FA |
SHA-256: | 2B9E54AA90B7CBDC4094441937E796D0E257FE49AA1A5DD962742579EC6348AD |
SHA-512: | 5EFE71FEF465CF65C2B64BB39BB0CFD880105A4EA7EC119B08F11E99D5E5289D01C2C5C6730A9A0A1E0CD741E340B0F608AB73A5621155F82654439DA4DFE166 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 0.0447824104283491 |
Encrypted: | false |
SSDEEP: | 3:G4l25a+zt9HYlCl25a+ztllXWlL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2DcAl2D4L9XXPH4l942U |
MD5: | C4CEAF0CD67C64D866E0D4EEADC7C843 |
SHA1: | 297263A14B1F3EEF63CDF63B2C773D32CC577FAC |
SHA-256: | 431B5F5B0E8E190C54025A2E1E81483247409DB6DCB67FD8665BE700B57B3B4B |
SHA-512: | 53F5C020B6824B1F7E4FD635487E6DF89BC73AB2BCF74CC33208BFD19A9F2D29A698E391CE850A4DF1E61F4D87365338ED4F08A99AD7552997D20B085363F12A |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 45352 |
Entropy (8bit): | 0.39392685398144023 |
Encrypted: | false |
SSDEEP: | 24:Kb0RyWQ3zRDihxHUll7DBtDi4kZERDnmNzqt8VtbDBtDi4kZERDvhlt:SWQ14ZUll7DYMaNzO8VFDYMx |
MD5: | 5C24ABBBD44C7E9F5F32C18F459D1C27 |
SHA1: | BDC723CADA8FA9BCF252B966A34A8EABE81989FD |
SHA-256: | 170AB74DF59CA74602F3142BE573A12E75084A753B2E8601BDBA38B88FBEB7AA |
SHA-512: | CAC54B3448B8DC90E1DC8306C60C62E7F201817617EE83C0832F7C3BAE3C13B8B63C165727CF0F12B7081731120AD0B36CF906F95E8A6D09D3A92D43AC261529 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{4B62BE7A-F353-4D73-B34D-E291C6A83F96}.tmp
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1604 |
Entropy (8bit): | 1.2242999944405843 |
Encrypted: | false |
SSDEEP: | 6:xRuUNT6nONoke9HDW9AKY2EAhkly/n8irwl2HlXMvOwWlqH4/rH:Dx6ONLsHDxL2Vkl5iklOlXUIH |
MD5: | 2E4B6262A07AC27AEA3215ABC68A58B2 |
SHA1: | 4728BBE80E5C7FA4761C9D6359943D4B2224DC09 |
SHA-256: | 306C62AAC49252641021C97FDAD88354ACC1E163FCD3969A732B9EA1AB6391FB |
SHA-512: | 0CB566923D2A253B8EF6946C65963290676856AD087FA933D20FD22343F3A10B80E0E588582E8592994E32E0630A4BC6322C18B83234F30E6610B484456B1B0C |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713945493488809300_59F90C04-58F3-41BB-AB49-92DE7D9AAD3A.log
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.004813841892793096 |
Encrypted: | false |
SSDEEP: | 192:J1hFM+L7trKTNwh1iSjW+/7sn4q7DmkrCBtI:PhPYT21NjW+/on9nR+Bq |
MD5: | 2F1A8453C59993F05E8664B019F18E71 |
SHA1: | 325B3E25408B7DD967691E57BF07CFBF5B521894 |
SHA-256: | 214F780BA515EEE34D901AE1160822ADF171B0DA165F23B7F6ED88F4595751DE |
SHA-512: | 23020CA001E5D7DEFC2B121FA86CB90F26CD03F4445F9AA12BD168122014DA066336347A083B2FDA86FBACE199038BCE52E595326776ED7F60584F4FDD08F7F6 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713945493490112200_59F90C04-58F3-41BB-AB49-92DE7D9AAD3A.log
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240424T0958130208-1212.etl
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 102400 |
Entropy (8bit): | 4.59541540631895 |
Encrypted: | false |
SSDEEP: | 768:UQjb6rTt/Im3Rpz4Y+9lnxVcUnX0zWJWDWkWgknO:DbK4Y+9lnzckXLnO |
MD5: | AB934FF8BCAC9A373BB762388C2B7BD5 |
SHA1: | 60D16A185BF182F6DFF033A0F4411189D1509D49 |
SHA-256: | 13105CB8E8BC7EE9725210B3251A921CE8C844C59E58AC1327A0CE0D49FC6216 |
SHA-512: | 5628933BB705CEBFA496E8FD1E09FB0307BDFF3AB10575AB7E593315BFC0659A84B7A27DBDDDECE0614AC6ADCEBCC1360324C3B603C853722B36B48AC716B1AE |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 163840 |
Entropy (8bit): | 0.3598640377137114 |
Encrypted: | false |
SSDEEP: | 192:wOmFN4kejIEmvc+WpHBS2yah60xwNgiXHWQOoT/:pmirmvc+SS2s0xviXHOo |
MD5: | 629EF912BD7CB412BB02063BF5849C9A |
SHA1: | 3CDF31F8658ABA1F396F2141250D5502BA8755F6 |
SHA-256: | 4479A18FCF9F2E087523DAC415BB4892EE9BCE519DD054C647BBE2D46BF557A4 |
SHA-512: | 7D9FBEAC829E828B985EC090353F9FC560C39BDB54C40C5B567C0180FD51FB87A9BAB0BD4857AAED1D0CD745395CBDEFC570295BC745CD9BC874D354DBCA7A24 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 30 |
Entropy (8bit): | 1.2389205950315936 |
Encrypted: | false |
SSDEEP: | 3:orX:or |
MD5: | 05CD19534ED232AB048822835E3ACEAF |
SHA1: | ED740BE323F2046D90C732D32D0383EE2CC762FC |
SHA-256: | B022B406FC0D8C64D90FD60A3CBBB40EF09CC41FB9D894E1DE5E3AEBAB1D5CE7 |
SHA-512: | 2B18A646D5E9659569E9AA7E9918C1951C11AB39CB83AA5419B08F80851A8DBB0F9E1FD2E03F2E716F29B7283F765CCDF239B82127B09542EB3501F59CADD8C8 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.6710603070586854 |
Encrypted: | false |
SSDEEP: | 12:rl3baFosqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCnCllp:rzmnq1Py961nClL |
MD5: | 1E76678E184146B96BFB9BA104DFB2F2 |
SHA1: | 7EB329920DAC48E370BCD4F1BB6330EC0DF323E8 |
SHA-256: | 4BB0E8EB7CB2EB5C5EF1241B582088EB148A7E0B89F1F4738DEA57CA99D33BE7 |
SHA-512: | 869701EC4189CC0C671171A5A2C2A427649A3283A1F2688F37911361E6325073A46BB1518FD64E5B5F61235AFDDCB638FC753FE89CB5BFF9B0A91AFB7AFC2E95 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 271360 |
Entropy (8bit): | 1.5644059679634186 |
Encrypted: | false |
SSDEEP: | 768:9Qcdz85TlEgRWdf45GH3ukdYf+0mYYEauYEGlc88m8BUTIZb:/q2gkdfFT6aj0meNZb |
MD5: | D7D884567F85624C79FFF00DC7C17888 |
SHA1: | A084D601555C65CC06707D9687748F825276235A |
SHA-256: | 93D72E3F1C1CD63E0C204830F3255352AF7E48B512ED86A8C0FC96524CBB6415 |
SHA-512: | 999DFD90C1D15706C5C04134034F3A9520AA6BECE0C3E0DCD7948C4B4B0DD60B8DD2FF3866E8B6D5EED5D9002337B20F0036D7CA9529C7FD4005904D7E1AC737 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.9982099015937981 |
Encrypted: | false |
SSDEEP: | 192:tTk0DwjTIoOJMeDe6MrzTJsHutLwJwEPnx0fGXQxqDTADe44si1R434+lz:xQjTIXJvDe/qHu8euAxqf2fc1R2 |
MD5: | 32D8C49C921F7AE64D8A63B74171766B |
SHA1: | 3873B94E23BC45262391710406BCB0724D3379A5 |
SHA-256: | 6BB5489227A8392CE290D707BB4EFE996F996CFAE9B64E8817833124EEB96AC2 |
SHA-512: | E6FFEF37188F4CE20CFA32D79834CFBB9828CEE4DC8B7313B6957AAF1DCA5798E947B18DBAA164CD9B47DD038858D55042F3AD19F6AEA042496B2901AD4CDA24 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 3.774667173601363 |
TrID: |
|
File name: | Potential case.msg |
File size: | 111'104 bytes |
MD5: | e7661cebd5227ee01d2d712852103022 |
SHA1: | dcb502ee880cec41cac4d8db931bf3fd3ba981e7 |
SHA256: | e930674381e055383ca6881357a2c437a65afd3b99c157c79007b4046bc91893 |
SHA512: | aa326c59418dd03c987dcbc528d7fab6a485d599fe0ed9c8ebddb1394c44cb3c13655871b0b9bd3e18604a8417a2c8529664f6146d98045419a347545ce5ca6a |
SSDEEP: | 3072:w11+oegeprU+qdgWejpJm7X8GORikW16K4:5oegeprUXgWcJm4GMIf4 |
TLSH: | BEB30F213AFA1119F2B79F364BF290978537FD526D249A5F2191330E0A72A41DC62F3B |
File Content Preview: | ........................>...................................................................................................................................................................................................................................... |
Subject: | Potential case |
From: | ELSA ISABEL LOAIZA RAMIREZ <eloaiza1@ibero.edu.co> |
To: | "info@lawfirm.com" <info@lawfirm.com> |
Cc: | |
BCC: | |
Date: | Tue, 23 Apr 2024 23:33:25 +0200 |
Communications: |
|
Attachments: |
Key | Value |
---|---|
Received | from EA2PR22MB5141.namprd22.prod.outlook.com |
21 | 33:25 +0000 |
ARC-Seal | i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; |
ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; |
h=From | Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; |
ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass |
by GVXP194MB2329.EURP194.PROD.OUTLOOK.COM (2603 | 10a6:150:1ff::10) with |
2024 21 | 33:31 +0000 |
(2603 | 10a6:20b:458::19) with Microsoft SMTP Server (version=TLS1_2, |
Transport; Tue, 23 Apr 2024 21 | 33:35 +0000 |
Authentication-Results | spf=pass (sender IP is 40.107.220.127) |
Received-SPF | Pass (protection.outlook.com: domain of ibero.edu.co designates |
15.20.7519.19 via Frontend Transport; Tue, 23 Apr 2024 21 | 33:34 +0000 |
DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; |
by PH7PR22MB3771.namprd22.prod.outlook.com (2603 | 10b6:510:2a7::19) with |
([fe80 | :7e72:c08a:7712:734d%5]) with mapi id 15.20.7472.044; Tue, 23 Apr 2024 |
From | ELSA ISABEL LOAIZA RAMIREZ <eloaiza1@ibero.edu.co> |
To | "info@lawfirm.com" <info@lawfirm.com> |
Subject | Potential case |
Thread-Topic | Potential case |
Thread-Index | AQHalcXfyO9PjbgeZ02NAKD4gUXv+g== |
Date | Tue, 23 Apr 2024 21:33:25 +0000 |
Message-ID | <EA2PR22MB51418321A87DB8980EB36D9FB5112@EA2PR22MB5141.namprd22.prod.outlook.com> |
Accept-Language | es-ES, en-US |
Content-Language | es-ES |
X-MS-Has-Attach | X-MS-TNEF-Correlator: |
msip_labels | Authentication-Results-Original: dkim=none (message not signed) |
x-ms-traffictypediagnostic | EA2PR22MB5141:EE_|PH7PR22MB3771:EE_|AM2PEPF0001C709:EE_|GVXP194MB2329:EE_|AS8P194MB1690:EE_ |
X-MS-Office365-Filtering-Correlation-Id | b02e154d-6c10-4b9d-3345-08dc63dd0812 |
x-ms-exchange-senderadcheck | 1 |
x-ms-exchange-antispam-relay | 0 |
X-Microsoft-Antispam-Untrusted | BCL:0; |
X-Microsoft-Antispam-Message-Info-Original | =?us-ascii?Q?Pl/PwBw3tgYdDtI72TPKEzj39HTXI54LluJAYpVRLdD1HAkPPVSkCA7JKSVB?= |
X-Forefront-Antispam-Report-Untrusted | CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:EA2PR22MB5141.namprd22.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(1800799015)(366007)(7416005)(41320700004)(38070700009);DIR:OUT;SFP:1102; |
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount | 1 |
X-MS-Exchange-AntiSpam-MessageData-Original-0 | =?iso-8859-1?Q?jP8akr2Fvf4iI/gDlACUJBKyzvJ7GhgP2yToycPFKVIOvLZdVGSB+W7bOB?= |
Content-Type | multipart/alternative; |
MIME-Version | 1.0 |
X-MS-Exchange-Transport-CrossTenantHeadersStamped | GVXP194MB2329 |
Return-Path | eloaiza1@ibero.edu.co |
X-MS-Exchange-Organization-ExpirationStartTime | 23 Apr 2024 21:33:35.4100 |
X-MS-Exchange-Organization-ExpirationStartTimeReason | OriginalSubmit |
X-MS-Exchange-Organization-ExpirationInterval | 1:00:00:00.0000000 |
X-MS-Exchange-Organization-ExpirationIntervalReason | OriginalSubmit |
X-MS-Exchange-Organization-Network-Message-Id | b02e154d-6c10-4b9d-3345-08dc63dd0812 |
X-EOPAttributedMessage | 0 |
X-EOPTenantAttributedMessage | 055b0795-7299-45a9-bc23-ad109157818e:0 |
X-MS-Exchange-Organization-MessageDirectionality | Incoming |
X-MS-Exchange-Transport-CrossTenantHeadersStripped | AM2PEPF0001C709.eurprd05.prod.outlook.com |
X-MS-Exchange-Transport-CrossTenantHeadersPromoted | AM2PEPF0001C709.eurprd05.prod.outlook.com |
X-MS-PublicTrafficType | |
X-MS-Exchange-Organization-AuthSource | AM2PEPF0001C709.eurprd05.prod.outlook.com |
X-MS-Exchange-Organization-AuthAs | Anonymous |
X-MS-Office365-Filtering-Correlation-Id-Prvs | 6155e436-d1ff-4adc-7687-08dc63dd0241 |
X-MS-Exchange-AtpMessageProperties | SA|SL |
X-MS-Exchange-Organization-SCL | 1 |
X-Microsoft-Antispam | BCL:0; |
X-Forefront-Antispam-Report | CIP:40.107.220.127;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM11-CO1-obe.outbound.protection.outlook.com;PTR:mail-co1nam11on2127.outbound.protection.outlook.com;CAT:NONE;SFTY:9.25;SFS:(13230031)(5000899004);DIR:INB;SFTY:9.25; |
X-MS-Exchange-CrossTenant-OriginalArrivalTime | 23 Apr 2024 21:33:34.9725 |
X-MS-Exchange-CrossTenant-Network-Message-Id | b02e154d-6c10-4b9d-3345-08dc63dd0812 |
X-MS-Exchange-CrossTenant-Id | 055b0795-7299-45a9-bc23-ad109157818e |
X-MS-Exchange-CrossTenant-AuthSource | AM2PEPF0001C709.eurprd05.prod.outlook.com |
X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
X-MS-Exchange-Transport-EndToEndLatency | 00:00:05.1229395 |
X-MS-Exchange-Processed-By-BccFoldering | 15.20.7472.035 |
X-Microsoft-Antispam-Mailbox-Delivery | ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198); |
X-Microsoft-Antispam-Message-Info | =?us-ascii?Q?f2iOb7jpsA1uzp8JVCB56xvrFxqxbCurS2tkINoy1XUvrqJbHAAp3MIDI5Fx?= |
date | Tue, 23 Apr 2024 23:33:25 +0200 |
Icon Hash: | c4e1928eacb280a2 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 09:58:13 |
Start date: | 24/04/2024 |
Path: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2d0000 |
File size: | 34'446'744 bytes |
MD5 hash: | 91A5292942864110ED734005B7E005C0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 2 |
Start time: | 09:58:14 |
Start date: | 24/04/2024 |
Path: | C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff791af0000 |
File size: | 710'048 bytes |
MD5 hash: | EC652BEDD90E089D9406AFED89A8A8BD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |