Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ce3354b1-93ec-e915-68c1-d433ef99e98a.eml

Overview

General Information

Sample name:ce3354b1-93ec-e915-68c1-d433ef99e98a.eml
Analysis ID:1432275
MD5:64ae1db66e7f4a9df7f463ecea7599f1
SHA1:5ffd427acfbb8ab48b5a25e50d4648b26379b7c2
SHA256:912d7c59aac9f3c48bb47b219698284b8537d8c41cc453e97b259fe5dcb0c95a
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6340 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\ce3354b1-93ec-e915-68c1-d433ef99e98a.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6996 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C261A92A-FEFE-4492-A97F-554D2F2C752A" "104AE37E-F373-41FF-9FB8-4FFFAABFA8CB" "6340" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6340, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean1.winEML@3/4@0/31
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240426T1906170856-6340.etl
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\ce3354b1-93ec-e915-68c1-d433ef99e98a.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C261A92A-FEFE-4492-A97F-554D2F2C752A" "104AE37E-F373-41FF-9FB8-4FFFAABFA8CB" "6340" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C261A92A-FEFE-4492-A97F-554D2F2C752A" "104AE37E-F373-41FF-9FB8-4FFFAABFA8CB" "6340" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 13
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
52.113.194.132
unknownUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
52.111.229.96
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
13.89.179.9
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1432275
Start date and time:2024-04-26 19:05:43 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:ce3354b1-93ec-e915-68c1-d433ef99e98a.eml
Detection:CLEAN
Classification:clean1.winEML@3/4@0/31
Cookbook Comments:
  • Found application associated with file extension: .eml

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.113.194.132
  • Excluded domains from analysis (whitelisted): ecs.office.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, s-0005-office.config.skype.com, ecs-office.s-0005.s-msedge.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.384344852256023
Encrypted:false
SSDEEP:
MD5:807BA3FEA0E9464B358485E75A892EFE
SHA1:8C15AA94377444BF709C79EDBA266FEC07BBF916
SHA-256:9A1BC830F26801FC3D08C2893655D8501D5B82729E7C21CBE37C4345E56BE0D4
SHA-512:3D79A7DC89516AC9357BF0359DBC36499C86FA95705004A34F81E2674C070580151D501D094C883CD143B04D6D290B52BF0565E774620968585FF07A4CC484CA
Malicious:false
Reputation:unknown
Preview:TH02...... .............SM01X...,....8..............IPM.Activity...........h...............h............H..h..X.......?f...h........h...H..h\cal ...pDat...hP...0...p.X....h..o............h........_`.j...h+.o.@...I.lw...h....H...8..j...0....T...............d.........2h...............kT.R.....M.A...!h.............. h........X...#h....8.........$hh.......8....."h..............'h..u...........1h..o.<.........0h....4....j../h....h......jH..h..p.....X...-h .........X...+ho.o.......X......... ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
Category:modified
Size (bytes):1869
Entropy (8bit):5.085315830518751
Encrypted:false
SSDEEP:
MD5:EDDC19D87F72F42269D9B5B7E6131DEC
SHA1:1FB24E808DC4D90A797785326ED8B050F5C8C96C
SHA-256:5FD8A52E8B963061183F61459FDB10D7846E3C25DBD8E675DAF63D16B0BD83E6
SHA-512:475AA8EE5E84FBEA20C5FD0ABEB2C36DB57970E99A9B8B6D451C3A4AD0F7A38195A703717CE5A7CB770F17E9150A9D1013A967113AD4A6B97F073F489E9F2751
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos_26215680</Id><LAT>2024-04-26T17:06:19Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos_45876480</Id><LAT>2023-10-06T09:25:29Z</LAT><key>27160079615.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_26215424</Id><LAT>2023-10-06T09:25:29Z</LAT><key>31558910439.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-06T09:25:29Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-06T09:25:29Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-06T09:25:29Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:
MD5:DEDDCF6B7F717E144C4C8A5C7912CEA3
SHA1:D8AF9A54C67C660B86974C130F71805065D0598D
SHA-256:04991A0A0A43C5C48BA1B5F7445A833C8A2B2A4310F0C9A4313749A6681DC52A
SHA-512:E4AFA8A4696645C176D71270D448DF5EBDA5B93BC033717773EB1AB31C726BFD67401311E437AC8B76C6D55918069699BD1FB657800F2CEE2865B588BECEFE8C
Malicious:false
Reputation:unknown
Preview:..............................

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):14
Entropy (8bit):2.699513850319966
Encrypted:false
SSDEEP:
MD5:C5A12EA2F9C2D2A79155C1BC161C350C
SHA1:75004B4B6C6C4EE37BE7C3FD7EE4AF4A531A1B1A
SHA-256:61EC0DAA23CBC92167446DADEFB919D86E592A31EBBD0AB56E64148EBF82152D
SHA-512:B3D5AF7C4A9CB09D27F0522671503654D06891740C36D3089BB5CB21E46AB235B0FA3DC2585A383B9F89F5C6DAE78F49F72B0AD58E6862DE39F440C4D6FF460B
Malicious:false
Reputation:unknown
Preview:..c.a.l.i.....

Static File Info

General

File type:RFC 822 mail, ASCII text, with CRLF line terminators
Entropy (8bit):6.137443478930007
TrID:
  • E-Mail message (Var. 5) (54515/1) 100.00%
File name:ce3354b1-93ec-e915-68c1-d433ef99e98a.eml
File size:17'309 bytes
MD5:64ae1db66e7f4a9df7f463ecea7599f1
SHA1:5ffd427acfbb8ab48b5a25e50d4648b26379b7c2
SHA256:912d7c59aac9f3c48bb47b219698284b8537d8c41cc453e97b259fe5dcb0c95a
SHA512:bc3c52c32d419729f2ac79fa4acb315ad15bbd6886f9dfb7e2f320623d205a0e8c5ae1d7dff89ea797f0bbb29fa1e338b7b92b32c9535e90520a06afdb7c7ad6
SSDEEP:192:a7SpWbzNZuM492r09sZZdo/sAB59S0kq8jT0ub01RwMczz5W0TXA7RGDXsWbSKAG:RWXn34Ci/nBVkq8jRaRwFH5Y7zKzM5I
TLSH:C5725C225FFA29C109F012880DDBFD8342001E257737D9A670D9D5A6FE8B1ABA7991C7
File Content Preview:Received: from YT4PR01CA0007.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:d1::14).. by SJ0PR12MB8138.namprd12.prod.outlook.com (2603:10b6:a03:4e0::7) with.. Microsoft SMTP Server (version=TLS1_2,.. cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.4

Static Mail

General

Subject:Lunch: John, Vinny, Wayne
From:Wayne Vickers <wvickers@bosaproperties.com>
To:John Nicholson <john@listelhospitalitygroup.com>, Vincent Delfaud <vdelfaud@bosaproperties.com>
Cc:
BCC:
Date:Thu, 25 Apr 2024 22:00:16 +0000
Communications:
  • The information in the above message and any attachments are intended only for the addressee and may contain confidential material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you have received this message in error, please notify the sender and delete the message and attachments from any computer.
Attachments:

    Headers

    Key Value
    Receivedfrom YQBPR0101MB4354.CANPRD01.PROD.OUTLOOK.COM ([fe80::e491:f536:2fa2:b175]) by YQBPR0101MB4354.CANPRD01.PROD.OUTLOOK.COM ([fe80::e491:f536:2fa2:b175%2]) with mapi id 15.20.7519.021; Thu, 25 Apr 2024 22:00:17 +0000
    Authentication-Resultsspf=pass (sender IP is 170.10.129.148) smtp.mailfrom=bosaproperties.com; dkim=pass (signature was verified) header.d=bosaproperties.com;dmarc=pass action=none header.from=bosaproperties.com;compauth=pass reason=100
    Received-SPFPass (protection.outlook.com: domain of bosaproperties.com designates 170.10.129.148 as permitted sender) receiver=protection.outlook.com; client-ip=170.10.129.148; helo=us-smtp-delivery-148.mimecast.com; pr=C
    DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=bosaproperties.com; s=mimecast20200303; t=1714082420; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=r857u3MAmQ66GhIp5IC+KCg9E8NaiRL1B0L/MbawAdY=; b=MU01HmXAQ4Tls1fPSpqwp7CRnGkOyEvPhDzAo0zA88ANIpQNc8d5tfjUVVOwPtfdP5CKWa VVfATzN3Fb1t5r9+jF+7/0Mr6fJdZlLb2tegwKifRfn/Hj7jskXwFagLvcWuteW0N88ZM+ DOeHSDyYyLKoV5Cm+2hBAhSiWtD3iJ8=
    X-MC-Uniqueg7fSjKUsNkWnfv2ncL9daw-1
    FromWayne Vickers <wvickers@bosaproperties.com>
    ToJohn Nicholson <john@listelhospitalitygroup.com>, Vincent Delfaud <vdelfaud@bosaproperties.com>
    SubjectLunch: John, Vinny, Wayne
    Thread-TopicLunch: John, Vinny, Wayne
    Thread-IndexAdqXW+DIzU/zlzkqSQClpH/S6Hln1AAABM5g
    DateThu, 25 Apr 2024 22:00:16 +0000
    Message-ID<YQBPR0101MB4354BBFB5306C22C08B26203AF172@YQBPR0101MB4354.CANPRD01.PROD.OUTLOOK.COM>
    Accept-Languageen-CA, en-US
    X-MS-Has-Attach
    X-MS-TNEF-Correlator
    x-ms-exchange-calendar-series-instance-idBAAAAIIA4AB0xbcQGoLgCAAAAABwneIRIZfaAQAAAAAAAAAAEAAAAN7QmeOo+phJqXx/cuaVs7w=
    x-ms-traffictypediagnostic YQBPR0101MB4354:EE_MeetingMessage|YT2PR01MB9825:EE_MeetingMessage|YT2PEPF000001CB:EE_|SJ0PR12MB8138:EE_
    X-MS-Office365-Filtering-Correlation-Id4061f839-b15a-4c10-d3cf-08dc65731a24
    x-ld-processedd730a16d-5f52-4022-a597-a4481d02d358,ExtAddr
    x-ms-exchange-senderadcheck1
    x-ms-exchange-antispam-relay0
    X-Microsoft-Antispam-Untrusted BCL:0;ARA:13230031|376005|1800799015|366007|38070700009
    X-Microsoft-Antispam-Message-Info-Original JPmnoIjpS+tXNyrv4yyg3YiPa6q+AwOIP3yekEzmHvqUF/2Ta6eLkOqigRH8UW5ds28ApzbwOcSulOdpqwVkq1NfjFSBVewtPwi3DAO8ZkxiWz+fBJ/dG8IBeegQyS6u+3xfSeJbT7RYHuiGBui90NRabvWz0cuX76nHcvUdmqdYYGE4xr5NZsTNRcdcDiFVcIVa+D4Vmk9yGMj52B57aWO3c45o3Zavya5k/1aHU3mVpycSbHAcrnjWisHhLed6cPf9D+/Fb8iAICEuwSf6WHuZXQur7DbIh70y5XkigJMny1J+T1lFDpo9Zy5XIDr53Q817R0zylTsBrVevLdDevCOj+sBoUqyJEjlp6uRv5zPgHzICDMXoHSNy9JYNnLk0u9GY1ldYKVBap3fDS1jfnTq9dDzx9DWaJBu1GXmIOBYJBFQ/wWqoQfP94ipV1Mkx/iY5KNk3UYbjdOhWaOSAwQ2EjseHFWeUOUoHnyYWbxH/0PmrhMCyK0ROOCzf7KEDhdJggqAyOMI0h/Rubgp3d0cP+B1GtMI3KM0SgKy05kAMSL4G2xQp5sBiWs6MwoHg0xSjFTjqYeScwZGYexhDVAK/meB8Otb6VguWV/v93TURSPWrN04uQmzDzhFBaY4IV15/FrDFeyj7eR1ABdbKfdAW+YyQTXIDKFIJklUHNQM7/bWTbqc4qRC0cDnmyVQlKnjmFn/Muce2kZd3TwOVK4KRyGx0S4IW45HSDsJ/RFkOzYn6y8aNB3PVrxix+gjD4datS6gf61YGOXV6mkAuabE4pkmHtL5sbSuz6SV7uNuoJxPEy/6915TtgUQZlmlbKaaNXW97sNO8L3QxaGkV9zI8d1RGI8uLetmLSoYoY9KBSWx9tg1PKUkzfxbpxaOz5pD0kFuRwkNHFtNCAvduKhmOmbGcJJXZHHkGXOTDL/CTneebBuJ10mj3mB2EyhaKJSDJHaZ/VulZLScY16ctIf9wrjQ/dKwMeQgL7CKEiH7Tx6Q6x/uHvijo4Zq38c5qObvKT5aeHs1BH6sOn+Q6YAD91WnHTxH4a/zoRpip1Badm9okocWePXrkHtgJZT8
    X-Forefront-Antispam-Report-Untrusted CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YQBPR0101MB4354.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(376005)(1800799015)(366007)(38070700009);DIR:OUT;SFP:1102
    MIME-Version1.0
    X-MS-Exchange-Transport-CrossTenantHeadersStampedYT2PR01MB9825
    X-Mimecast-Spam-Score0
    X-Mimecast-Originatorbosaproperties.com
    Content-Languageen-US
    Content-Typemultipart/alternative; boundary="_000_YQBPR0101MB4354BBFB5306C22C08B26203AF172YQBPR0101MB4354_"
    Return-Pathwvickers@bosaproperties.com
    X-EOPAttributedMessage0
    X-EOPTenantAttributedMessage2b0c1c88-9268-46fe-8037-16742353c0b2:0
    X-MS-Exchange-Transport-CrossTenantHeadersStripped YT2PEPF000001CB.CANPRD01.PROD.OUTLOOK.COM
    X-MS-PublicTrafficTypeEmail
    X-MS-Office365-Filtering-Correlation-Id-Prvs 6765fca6-b2a2-4e27-509f-08dc65731783
    X-MS-Exchange-AtpMessagePropertiesSA|SL
    X-Forefront-Antispam-Report CIP:170.10.129.148;CTRY:US;LANG:en;SCL:8;SRV:;IPV:NLI;SFV:SPM;H:us-smtp-delivery-148.mimecast.com;PTR:us-smtp-delivery-148.mimecast.com;CAT:HPHISH;SFS:(13230031);DIR:INB;
    X-Microsoft-AntispamBCL:0;
    X-Microsoft-Antispam-Message-Info e2D9TP1xgQfI/D5/LHulMoQ1iFFIQ8L7FgBOJgFDJu9mFAbMIR2f82H55W+mdxABRsmA4cvVXxe4GkkB6vjK2UZuJdHyyj3sZ/aZ8iJ/b+WgRvYhSNdXWCpSAL4of4y1bQfKlfmlyEWWGTy7lgK8kuc1CryrI/ztp5HAzrsdtV+3swWmEHJkEJZ7SC2uXy5RF3pNe9XTtKZDMKhK92uu+hmVm++LM4A8/8UnigSytfNqqMoHotT8lrl9Oh5iJbdxkcVYSubim21V7D9WTVZUs4UEa3qf4N4om1RLE7XQrhq+4vYlcYrjvYh2S0veqjE43JM2ZIMBWG82cbzwnKjbuCF/wtNuxPDaiT00ycDsxwtOtll/iqZnIFFQ2f+tcHsZ6wQ9jzNvNAowqGg2vGNKZFE213tW41o5wGOmKMyhP8iPq9X2Bqc1Wzj8xiCXGi+BlvxMyALxIoe2BE3h2b94y9Fs5Sld8XyzAZYYZjJyPxin0kyBDmwzsSEeKoWMBfNXNV0LK8ZxeCj7T3osDqgi/mAWaXXlIfeLh1x5fxpT07pwBLL1MXZfZfw2nMsgeuBH3/tPREz8h9inBh3kf6scx0Yr/GejnNdwW8yqZHIP5zQ04J839Onmu5/Zo7cixDIvW6oR1TeciRxnNeKI3U1u5DoFQhCCxBWrtuP6/JIPrnFvp/jfN2FiwC6H2fwbxu6FShiiT2gC6U3mnTUDt/WGgDWcg5ndRg1u7nX1xfSS3F+otrt+S2boICm7/OxR6Ea1MQ8Qq9IMBpOfQ6OgAMgV1Z0OiFplOJKxvv1gs5GaHWX02QAMXRbCzk9lcqDZCzSH+H1BBOpfz5l/aylxetsbOe+ndIw3xfMgX5mUYym6bm5FnS43Aa5k45ftzxjx5ktPCsviKkLU7Vvseh3dWzifvSYtcFT//M9sapxbmEL6skEEfLFOtKaPZMK+b4iyQDLrquENLSgcvgsjbj6n0J3xSyEBFW4uiryMbcal3d/q/QMqW076ijLqEb0fgNzJqZoXYt/55HradCRIyxkCW0UQRBvnZ+49BBFm0XlE9XkjVbuB+RJAc8WhdBri0bZVLSdBxVuDdILw/EvMx5AQCHVpPf3IMEJbwCm2BQueFqmpOageGePQ4XtighSLN3sz8L+KXJx8B4G0R7lRSaHD6p6Iq8XrORNPD/j5mAmZU2idFjPsuAw8LDS4BPD+NUQjYnhQ2B+HO+BEqiqXedDbK6MqE8Xg6Svm8LOdJ/ufVVrLzkeQQ1rh9WGIKuehK5wEUb7RiJfHcnuMI38VmOSEXXyVu2cXGMlgGFRpvO2UUxFm4wPaXTM7oZW9+GkJboo0shzLaI903E3qK6CtBVoApa4z8Y3+ND1SnjpNtY55KlP2T/HRaJyjHzxgm7PVQZ1E/1Y2YvKI2HSxO25gG+rGgaYlGL2s2HR5x1gmeJgSn17lulMVmk0F9c76MQfGZ35liakVu+C82xCUPOXTIogkGX7+pd3LSqkHZxLqiLzYb1DEovkG8JNe7gPUR8O8QfQwgf5zPPDY46Ob3k47ivnNrMKcB1ktrd/BqPmYHONSvHmoHVFb9cPFuAPrAD/NpmkoKFfG3luEFG0Cef3tkn+PgFn7jVAP2COuRZJOu4c09v/Bp88HcA2U5dVUwZT7UtYPA1PIrTbaZCRYCZZ2OSneraTJFjTppxEIduWUo+fXGqFRWb623QiW5TGrbFcvMpU0mYPdXfk7vR6cNmDPt4gsaB5eqYmmDPRU3oOxiSTEDJN9hC4NwKnyL8RIQ+QAHxsKxbol1WOiqOPVffhOETM61c867U1jlxp94FlvL5/ihnzTZfKaaaCXMCaHpHvf8gCC6Wa2itu6fG/GU8FvmXu/QgBpD1yf3qBPTxxiVDuvlXRQt9faPSGusb5HCgXB9qL/gTkXbMRjfo+g4xDaeBtzMvA3uK/W2fZ57iT8TO4cgvglr9lfIBi1q5rV0PS7KO3CUcKl5eZ6i+tzNjzMKr6TIAd5Zqx22i5yV1lrYH70i34nZBylxJqNNbGId6m2EeIw4GiaTc+fH06h9yo6TL0D3hc0NX/IWKqyuiM3oPQWQ0flevsPjsf+wHOEVQ3RY6rGtKI69kiZdkY9fZbqHRJb+grf2gptuNDozawG+rod7nRVfihAz1s1pUWm6BlICmozUQwyZL/VLx2ke++r1XnKCKfJbnWKWG/Ao8DoM1xJX2orvJNgSiZi4m6lxPrN/MXOiRd/dkpjkH3bk/tzwPelpMbg6RhllNmdw7HYR3h/5vid7IU6g79ypanQH4j5Ih0qBec3a8nolJS5/J60FC8O+XmxlbS0Ar2Q5bafZti2jL6juxe3besWgsYwlGuGmXVMK5t3+YYUS9sqWmmkKrcXgW16+Te8s0VXZWVGK6V1UKFu6psi+Ak+BybU/wEt6bNy+3J0Uzw/+2iq13B2Xgm9eQu4e7arL+dy0j0BHpf1awxtRYYQxAMhFp4Sr7PuHi4zBoLTyWCSbJ4iknoZ+YNqnEiZT5poEDkdSXL9ciNM3vvEnMetkRQSdFXophKLxnTGRplOTp6pL+69PMgaGs597OHCrqrEvyHx6OU5Hev85vVmUCZQRmAPXdIcp+azfMlIMX4P

    File Icon

    Icon Hash:46070c0a8e0c67d6