Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Potential case.msg

Overview

General Information

Sample name:	Potential case.msg
Analysis ID:	1430846
MD5:	e7661cebd5227ee01d2d712852103022
SHA1:	dcb502ee880cec41cac4d8db931bf3fd3ba981e7
SHA256:	e930674381e055383ca6881357a2c437a65afd3b99c157c79007b4046bc91893
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

×

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 1212 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Potential case.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6300 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "57B5CA36-1F39-4B75-A120-D942A4584BF5" "D7487505-4B59-460F-99E2-C18C5A1314E0" "1212" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 1212, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Potential case.msg	String found in binary or memory: http://schema.org
Source: Potential case.msg, ~WRS{4B62BE7A-F353-4D73-B34D-E291C6A83F96}.tmp.0.dr	String found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: OUTLOOK_16_0_16827_20130-20240424T0958130208-1212.etl.0.dr	String found in binary or memory: https://login.windows.localR
Source: OUTLOOK_16_0_16827_20130-20240424T0958130208-1212.etl.0.dr	String found in binary or memory: https://login.windows.localnull

Source: classification engine

Classification label: clean1.winMSG@3/16@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240424T0958130208-1212.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Potential case.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "57B5CA36-1F39-4B75-A120-D942A4584BF5" "D7487505-4B59-460F-99E2-C18C5A1314E0" "1212" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "57B5CA36-1F39-4B75-A120-D942A4584BF5" "D7487505-4B59-460F-99E2-C18C5A1314E0" "1212" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://login.windows.localR	0%	Avira URL Cloud	safe
https://login.windows.localnull	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.windows.localnull	OUTLOOK_16_0_16827_20130-20240424T0958130208-1212.etl.0.dr	false	Avira URL Cloud: safe	unknown
http://schema.org	Potential case.msg	false		high
https://aka.ms/LearnAboutSenderIdentification	Potential case.msg, ~WRS{4B62BE7A-F353-4D73-B34D-E291C6A83F96}.tmp.0.dr	false		high
https://login.windows.localR	OUTLOOK_16_0_16827_20130-20240424T0958130208-1212.etl.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430846
Start date and time:	2024-04-24 09:57:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Potential case.msg
Detection:	CLEAN
Classification:	clean1.winMSG@3/16@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240, 52.113.194.132, 52.109.0.140, 23.219.38.34, 23.219.38.42, 20.42.73.27
Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, osiprod-wus-buff-azsc-000.westus.cloudapp.azure.com, wu.azureedge.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, wus-azsc-000.roaming.officeapps.live.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, wu.ec.azureedge.net, us2.roaming1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, wu-bg-shim.trafficmanager.net, onedscolprdeus12.eastus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.393501093965851
Encrypted:	false
SSDEEP:	1536:p1YLhWgsdjk2wUJWDgsmtNcAz79ysQqt2tnTtqoQ4brcm0FvlL+yp+UW3mmVT5Kx:44gmXUg1miGu2LqoQIrt0FvPXhktXBcb
MD5:	5C0ABF271CF9FDE1EAB49209C3FE158A
SHA1:	FC6C91CA394387A793EF84126F25C1EEF4BAC76E
SHA-256:	7B1B38C8FC037D7F64596E809B2B192449F633DA4F23B97D750D1849023D6ABA
SHA-512:	6D976EF4B082DB73B0CACB9F252F199322A389C337ED09583B8E97FAEE1AA932B11722B3F96529BDA6577A5A22A43EBBC220986CA8E97C4EB9C58C1BCC2B5D9D
Malicious:	false
Reputation:	low
Preview:	TH02...... ....!........SM01X...,....$. ............IPM.Activity...........h...............h............H..h\|.u.....I.w...h........x..H..h\cal ...pDat...h.#..0....u....h!..............h........_`.j...h}...@...I.lw...h....H...8..j...0....T...............d.........2h...............k..D...........!h.............. h#z......u...#h....8.........$hx......8....."h........H.....'h..............1h!...<.........0h....4....j../h....h......jH..hp...p...\|.u...-h .........u...+h........p.u................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	322260
Entropy (8bit):	4.000299760592446
Encrypted:	false
SSDEEP:	6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
MD5:	CC90D669144261B198DEAD45AA266572
SHA1:	EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:	89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:	16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.7219280948873625
Encrypted:	false
SSDEEP:	3:L96T:54
MD5:	A5A6666B1BDECDD7B652101F96A26039
SHA1:	154193DC23B45B1A1CFC4B3CF53795959322DCDA
SHA-256:	578F72E3ADCC5E21EDD26B995001BC4E99E548B7104ECE8D4ADAEBFDB675273B
SHA-512:	F05FBBF036EE4104BD49F5CAC13C128E72369535A5C1E495E3AA9647B5559FB274232F526D9086DE8B9D79F36B739293EA8345F0A0FFBAC181D34C9B806AEA8B
Malicious:	false
Reputation:	low
Preview:	1713945496

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09216609452072291
Encrypted:	false
SSDEEP:	3:lSWFN3l/klslpF/4llfll:l9F8E0/
MD5:	F138A66469C10D5761C6CBB36F2163C3
SHA1:	EEA136206474280549586923B7A4A3C6D5DB1E25
SHA-256:	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
SHA-512:	9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.13760166725504608
Encrypted:	false
SSDEEP:	3:7FEG2l+LlK/FllkpMRgSWbNFl/sl+ltlslVlllfllT:7+/lWlSg9bNFlEs1EP/D
MD5:	C33962C15F3DCB242159333C4B479036
SHA1:	E524774FEE472B5ADD541A2624D4D16AB6B695FA
SHA-256:	2B9E54AA90B7CBDC4094441937E796D0E257FE49AA1A5DD962742579EC6348AD
SHA-512:	5EFE71FEF465CF65C2B64BB39BB0CFD880105A4EA7EC119B08F11E99D5E5289D01C2C5C6730A9A0A1E0CD741E340B0F608AB73A5621155F82654439DA4DFE166
Malicious:	false
Reputation:	low
Preview:	.... .c.....-......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0447824104283491
Encrypted:	false
SSDEEP:	3:G4l25a+zt9HYlCl25a+ztllXWlL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2DcAl2D4L9XXPH4l942U
MD5:	C4CEAF0CD67C64D866E0D4EEADC7C843
SHA1:	297263A14B1F3EEF63CDF63B2C773D32CC577FAC
SHA-256:	431B5F5B0E8E190C54025A2E1E81483247409DB6DCB67FD8665BE700B57B3B4B
SHA-512:	53F5C020B6824B1F7E4FD635487E6DF89BC73AB2BCF74CC33208BFD19A9F2D29A698E391CE850A4DF1E61F4D87365338ED4F08A99AD7552997D20B085363F12A
Malicious:	false
Reputation:	low
Preview:	..-......................J..q.0......X_.....:....-......................J..q.0......X_.....:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	45352
Entropy (8bit):	0.39392685398144023
Encrypted:	false
SSDEEP:	24:Kb0RyWQ3zRDihxHUll7DBtDi4kZERDnmNzqt8VtbDBtDi4kZERDvhlt:SWQ14ZUll7DYMaNzO8VFDYMx
MD5:	5C24ABBBD44C7E9F5F32C18F459D1C27
SHA1:	BDC723CADA8FA9BCF252B966A34A8EABE81989FD
SHA-256:	170AB74DF59CA74602F3142BE573A12E75084A753B2E8601BDBA38B88FBEB7AA
SHA-512:	CAC54B3448B8DC90E1DC8306C60C62E7F201817617EE83C0832F7C3BAE3C13B8B63C165727CF0F12B7081731120AD0B36CF906F95E8A6D09D3A92D43AC261529
Malicious:	false
Reputation:	low
Preview:	7....-................X_...(.)................X_.+J.=...SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{4B62BE7A-F353-4D73-B34D-E291C6A83F96}.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	1.2242999944405843
Encrypted:	false
SSDEEP:	6:xRuUNT6nONoke9HDW9AKY2EAhkly/n8irwl2HlXMvOwWlqH4/rH:Dx6ONLsHDxL2Vkl5iklOlXUIH
MD5:	2E4B6262A07AC27AEA3215ABC68A58B2
SHA1:	4728BBE80E5C7FA4761C9D6359943D4B2224DC09
SHA-256:	306C62AAC49252641021C97FDAD88354ACC1E163FCD3969A732B9EA1AB6391FB
SHA-512:	0CB566923D2A253B8EF6946C65963290676856AD087FA933D20FD22343F3A10B80E0E588582E8592994E32E0630A4BC6322C18B83234F30E6610B484456B1B0C
Malicious:	false
Reputation:	low
Preview:	......N.o. .s.u.e.l.e. .r.e.c.i.b.i.r. .c.o.r.r.e.o.s. .e.l.e.c.t.r...n.i.c.o.s. .d.e. .e.l.o.a.i.z.a.1.@.i.b.e.r.o...e.d.u...c.o... .H.Y.P.E.R.L.I.N.K. .".h.t.t.p.s.:././.a.k.a...m.s./.L.e.a.r.n.A.b.o.u.t.S.e.n.d.e.r.I.d.e.n.t.i.f.i.c.a.t.i.o.n.".................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713945493488809300_59F90C04-58F3-41BB-AB49-92DE7D9AAD3A.log

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.004813841892793096
Encrypted:	false
SSDEEP:	192:J1hFM+L7trKTNwh1iSjW+/7sn4q7DmkrCBtI:PhPYT21NjW+/on9nR+Bq
MD5:	2F1A8453C59993F05E8664B019F18E71
SHA1:	325B3E25408B7DD967691E57BF07CFBF5B521894
SHA-256:	214F780BA515EEE34D901AE1160822ADF171B0DA165F23B7F6ED88F4595751DE
SHA-512:	23020CA001E5D7DEFC2B121FA86CB90F26CD03F4445F9AA12BD168122014DA066336347A083B2FDA86FBACE199038BCE52E595326776ED7F60584F4FDD08F7F6
Malicious:	false
Reputation:	low
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..04/24/2024 07:58:13.529.OUTLOOK (0x4BC).0x1674.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.System.GracefulExit.GracefulAppExitDesktop","Flags":33777014402039809,"InternalSequenceNumber":21,"Time":"2024-04-24T07:58:13.529Z","Data.PreviousAppMajor":16,"Data.PreviousAppMinor":0,"Data.PreviousAppBuild":16827,"Data.PreviousAppRevision":20130,"Data.PreviousSessionId":"2BB55680-6944-4DAA-A7C6-1A169F3AD590","Data.PreviousSessionInitTime":"2024-04-24T07:58:00.413Z","Data.PreviousSessionUninitTime":"2024-04-24T07:58:03.272Z","Data.SessionFlags":4,"Data.InstallMethod":0,"Data.OfficeUILang":1033,"Data.PreviousBuild":"Unknown","Data.EcsETag":"\"\"","Data.ProcessorArchitecture":"x64"}...04/24/2024 07:58:13.561.OUTLOOK (0x4BC).0x1830.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":28,"Time":"20

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713945493490112200_59F90C04-58F3-41BB-AB49-92DE7D9AAD3A.log

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240424T0958130208-1212.etl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	4.59541540631895
Encrypted:	false
SSDEEP:	768:UQjb6rTt/Im3Rpz4Y+9lnxVcUnX0zWJWDWkWgknO:DbK4Y+9lnzckXLnO
MD5:	AB934FF8BCAC9A373BB762388C2B7BD5
SHA1:	60D16A185BF182F6DFF033A0F4411189D1509D49
SHA-256:	13105CB8E8BC7EE9725210B3251A921CE8C844C59E58AC1327A0CE0D49FC6216
SHA-512:	5628933BB705CEBFA496E8FD1E09FB0307BDFF3AB10575AB7E593315BFC0659A84B7A27DBDDDECE0614AC6ADCEBCC1360324C3B603C853722B36B48AC716B1AE
Malicious:	false
Preview:	............................................................................^...t........Y.(....................eJ..............Zb..2.......................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1............................................................?.{.Y...........Y.(............v.2._.O.U.T.L.O.O.K.:.4.b.c.:.1.c.0.f.4.f.0.c.e.b.7.0.4.8.2.c.a.8.6.6.7.3.2.d.f.c.4.c.0.b.1.a...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.4.2.4.T.0.9.5.8.1.3.0.2.0.8.-.1.2.1.2...e.t.l.........P.P.t........Y.(............................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF1F47686751230C1B.TMP

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.3598640377137114
Encrypted:	false
SSDEEP:	192:wOmFN4kejIEmvc+WpHBS2yah60xwNgiXHWQOoT/:pmirmvc+SS2s0xviXHOo
MD5:	629EF912BD7CB412BB02063BF5849C9A
SHA1:	3CDF31F8658ABA1F396F2141250D5502BA8755F6
SHA-256:	4479A18FCF9F2E087523DAC415BB4892EE9BCE519DD054C647BBE2D46BF557A4
SHA-512:	7D9FBEAC829E828B985EC090353F9FC560C39BDB54C40C5B567C0180FD51FB87A9BAB0BD4857AAED1D0CD745395CBDEFC570295BC745CD9BC874D354DBCA7A24
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:orX:or
MD5:	05CD19534ED232AB048822835E3ACEAF
SHA1:	ED740BE323F2046D90C732D32D0383EE2CC762FC
SHA-256:	B022B406FC0D8C64D90FD60A3CBBB40EF09CC41FB9D894E1DE5E3AEBAB1D5CE7
SHA-512:	2B18A646D5E9659569E9AA7E9918C1951C11AB39CB83AA5419B08F80851A8DBB0F9E1FD2E03F2E716F29B7283F765CCDF239B82127B09542EB3501F59CADD8C8
Malicious:	false
Preview:	..............................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.6710603070586854
Encrypted:	false
SSDEEP:	12:rl3baFosqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCnCllp:rzmnq1Py961nClL
MD5:	1E76678E184146B96BFB9BA104DFB2F2
SHA1:	7EB329920DAC48E370BCD4F1BB6330EC0DF323E8
SHA-256:	4BB0E8EB7CB2EB5C5EF1241B582088EB148A7E0B89F1F4738DEA57CA99D33BE7
SHA-512:	869701EC4189CC0C671171A5A2C2A427649A3283A1F2688F37911361E6325073A46BB1518FD64E5B5F61235AFDDCB638FC753FE89CB5BFF9B0A91AFB7AFC2E95
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	1.5644059679634186
Encrypted:	false
SSDEEP:	768:9Qcdz85TlEgRWdf45GH3ukdYf+0mYYEauYEGlc88m8BUTIZb:/q2gkdfFT6aj0meNZb
MD5:	D7D884567F85624C79FFF00DC7C17888
SHA1:	A084D601555C65CC06707D9687748F825276235A
SHA-256:	93D72E3F1C1CD63E0C204830F3255352AF7E48B512ED86A8C0FC96524CBB6415
SHA-512:	999DFD90C1D15706C5C04134034F3A9520AA6BECE0C3E0DCD7948C4B4B0DD60B8DD2FF3866E8B6D5EED5D9002337B20F0036D7CA9529C7FD4005904D7E1AC737
Malicious:	false
Preview:	!BDN.&.SM......\...>...........z.......\................@...........@...@...................................@...........................................................................$.......D.......:..............y...............v...................................................................................................................................................................................................................................................................................................~.0...%.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.9982099015937981
Encrypted:	false
SSDEEP:	192:tTk0DwjTIoOJMeDe6MrzTJsHutLwJwEPnx0fGXQxqDTADe44si1R434+lz:xQjTIXJvDe/qHu8euAxqf2fc1R2
MD5:	32D8C49C921F7AE64D8A63B74171766B
SHA1:	3873B94E23BC45262391710406BCB0724D3379A5
SHA-256:	6BB5489227A8392CE290D707BB4EFE996F996CFAE9B64E8817833124EEB96AC2
SHA-512:	E6FFEF37188F4CE20CFA32D79834CFBB9828CEE4DC8B7313B6957AAF1DCA5798E947B18DBAA164CD9B47DD038858D55042F3AD19F6AEA042496B2901AD4CDA24
Malicious:	false
Preview:	.\|..C...N..............'......................#.!BDN.&.SM......\...>...........z.......\................@...........@...@...................................@...........................................................................$.......D.......:..............y...............v...................................................................................................................................................................................................................................................................................................~.0...%....'.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	3.774667173601363
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	Potential case.msg
File size:	111'104 bytes
MD5:	e7661cebd5227ee01d2d712852103022
SHA1:	dcb502ee880cec41cac4d8db931bf3fd3ba981e7
SHA256:	e930674381e055383ca6881357a2c437a65afd3b99c157c79007b4046bc91893
SHA512:	aa326c59418dd03c987dcbc528d7fab6a485d599fe0ed9c8ebddb1394c44cb3c13655871b0b9bd3e18604a8417a2c8529664f6146d98045419a347545ce5ca6a
SSDEEP:	3072:w11+oegeprU+qdgWejpJm7X8GORikW16K4:5oegeprUXgWcJm4GMIf4
TLSH:	BEB30F213AFA1119F2B79F364BF290978537FD526D249A5F2191330E0A72A41DC62F3B
File Content Preview:	........................>......................................................................................................................................................................................................................................

Static Mail

General

Subject:	Potential case
From:	ELSA ISABEL LOAIZA RAMIREZ <eloaiza1@ibero.edu.co>
To:	"info@lawfirm.com" <info@lawfirm.com>
Cc:
BCC:
Date:	Tue, 23 Apr 2024 23:33:25 +0200
Communications:	No suele recibir correos electrnicos de eloaiza1@ibero.edu.co. Por qu esto es importante <https://aka.ms/LearnAboutSenderIdentification> Does your law office handles breach of contract/business litigation cases?
Attachments:

Headers

Key	Value
Received	from EA2PR22MB5141.namprd22.prod.outlook.com
21	33:25 +0000
ARC-Seal	i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
h=From	Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass
by GVXP194MB2329.EURP194.PROD.OUTLOOK.COM (2603	10a6:150:1ff::10) with
2024 21	33:31 +0000
(2603	10a6:20b:458::19) with Microsoft SMTP Server (version=TLS1_2,
Transport; Tue, 23 Apr 2024 21	33:35 +0000
Authentication-Results	spf=pass (sender IP is 40.107.220.127)
Received-SPF	Pass (protection.outlook.com: domain of ibero.edu.co designates
15.20.7519.19 via Frontend Transport; Tue, 23 Apr 2024 21	33:34 +0000
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed;
by PH7PR22MB3771.namprd22.prod.outlook.com (2603	10b6:510:2a7::19) with
([fe80	:7e72:c08a:7712:734d%5]) with mapi id 15.20.7472.044; Tue, 23 Apr 2024
From	ELSA ISABEL LOAIZA RAMIREZ <eloaiza1@ibero.edu.co>
To	"info@lawfirm.com" <info@lawfirm.com>
Subject	Potential case
Thread-Topic	Potential case
Thread-Index	AQHalcXfyO9PjbgeZ02NAKD4gUXv+g==
Date	Tue, 23 Apr 2024 21:33:25 +0000
Message-ID	<EA2PR22MB51418321A87DB8980EB36D9FB5112@EA2PR22MB5141.namprd22.prod.outlook.com>
Accept-Language	es-ES, en-US
Content-Language	es-ES
X-MS-Has-Attach	X-MS-TNEF-Correlator:
msip_labels	Authentication-Results-Original: dkim=none (message not signed)
x-ms-traffictypediagnostic	EA2PR22MB5141:EE_\|PH7PR22MB3771:EE_\|AM2PEPF0001C709:EE_\|GVXP194MB2329:EE_\|AS8P194MB1690:EE_
X-MS-Office365-Filtering-Correlation-Id	b02e154d-6c10-4b9d-3345-08dc63dd0812
x-ms-exchange-senderadcheck	1
x-ms-exchange-antispam-relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;
X-Microsoft-Antispam-Message-Info-Original	=?us-ascii?Q?Pl/PwBw3tgYdDtI72TPKEzj39HTXI54LluJAYpVRLdD1HAkPPVSkCA7JKSVB?=
X-Forefront-Antispam-Report-Untrusted	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:EA2PR22MB5141.namprd22.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(1800799015)(366007)(7416005)(41320700004)(38070700009);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount	1
X-MS-Exchange-AntiSpam-MessageData-Original-0	=?iso-8859-1?Q?jP8akr2Fvf4iI/gDlACUJBKyzvJ7GhgP2yToycPFKVIOvLZdVGSB+W7bOB?=
Content-Type	multipart/alternative;
MIME-Version	1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped	GVXP194MB2329
Return-Path	eloaiza1@ibero.edu.co
X-MS-Exchange-Organization-ExpirationStartTime	23 Apr 2024 21:33:35.4100
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	b02e154d-6c10-4b9d-3345-08dc63dd0812
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	055b0795-7299-45a9-bc23-ad109157818e:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-Exchange-Transport-CrossTenantHeadersStripped	AM2PEPF0001C709.eurprd05.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted	AM2PEPF0001C709.eurprd05.prod.outlook.com
X-MS-PublicTrafficType	Email
X-MS-Exchange-Organization-AuthSource	AM2PEPF0001C709.eurprd05.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Office365-Filtering-Correlation-Id-Prvs	6155e436-d1ff-4adc-7687-08dc63dd0241
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-MS-Exchange-Organization-SCL	1
X-Microsoft-Antispam	BCL:0;
X-Forefront-Antispam-Report	CIP:40.107.220.127;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM11-CO1-obe.outbound.protection.outlook.com;PTR:mail-co1nam11on2127.outbound.protection.outlook.com;CAT:NONE;SFTY:9.25;SFS:(13230031)(5000899004);DIR:INB;SFTY:9.25;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	23 Apr 2024 21:33:34.9725
X-MS-Exchange-CrossTenant-Network-Message-Id	b02e154d-6c10-4b9d-3345-08dc63dd0812
X-MS-Exchange-CrossTenant-Id	055b0795-7299-45a9-bc23-ad109157818e
X-MS-Exchange-CrossTenant-AuthSource	AM2PEPF0001C709.eurprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-EndToEndLatency	00:00:05.1229395
X-MS-Exchange-Processed-By-BccFoldering	15.20.7472.035
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	=?us-ascii?Q?f2iOb7jpsA1uzp8JVCB56xvrFxqxbCurS2tkINoy1XUvrqJbHAAp3MIDI5Fx?=
date	Tue, 23 Apr 2024 23:33:25 +0200

File Icon


Icon Hash:	c4e1928eacb280a2

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: OUTLOOK.EXEPID: 1212, Parent PID: 4380

General

Target ID:	0
Start time:	09:58:13
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Potential case.msg"
Imagebase:	0x2d0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: ai.exePID: 6300, Parent PID: 1212

General

Target ID:	2
Start time:	09:58:14
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "57B5CA36-1F39-4B75-A120-D942A4584BF5" "D7487505-4B59-460F-99E2-C18C5A1314E0" "1212" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff791af0000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly