Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
a.manasova@mlsp.kg.msg

Overview

General Information

Sample Name:	a.manasova@mlsp.kg.msg
Analysis ID:	882695
MD5:	141b5248e25ba914cf62643f1e37a1be
SHA1:	7506634f2eeafdff86ead03ab276127a3b19fcf3
SHA256:	e873bc60713be05e0d7e32218bba4839f6b09e7f59c5ac5cbc0ef582b666c26f
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

LLM found phishing text in email (MSG / EML)

Creates or modifies windows services

Deletes files inside the Windows folder

Creates files inside the system directory

Classification

×

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 1304 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\a.manasova@mlsp.kg.msg MD5: 7DD935BA9B57D9D7EFF63C67653E70B5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

LLM found phishing text in email (MSG / EML)

Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Subject is an email address, not a relevant subject line
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Mismatch between sender's email domain and organization mentioned in signature
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Message content mentions infected password to file
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Unrelated recipient email address
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Attachment with suspicious file format (.zip)

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File deleted: C:\Windows\SysWOW64\PerfStringBackup.TMP

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File created: C:\Windows\inf\Outlook\

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\{285EE306-80F3-46AB-9CE8-F29B3B7E7A13} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File written: C:\Windows\INF\Outlook\outlperf.ini

Jump to behavior

Source: classification engine

Classification label: sus21.phis.winMSG@1/14@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File read: C:\Program Files (x86)\Microsoft Office\Office16\1033\OUTLPERF.INI

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Window detected: Number of UI elements: 13

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	11 Masquerading	OS Credential Dumping	2 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882695
Start date and time:	2023-06-06 17:09:44 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	a.manasova@mlsp.kg.msg
Detection:	SUS
Classification:	sus21.phis.winMSG@1/14@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.222
Excluded domains from analysis (whitelisted): fp.msedge.net, a-0019.a-msedge.net, a-0019.standard.a-msedge.net, ctldl.windowsupdate.com, 1.perf.msedge.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.386250147886969
Encrypted:	false
SSDEEP:	1536:CYLrgsLS2ROgseNcAz79ysQqt2YqoQcrcm0FvJybFElL+QK3Fuyu5i:5rgsROgFmiGu2YqoQcrt0FvYbilLzcSi
MD5:	2D5F0515FA329653416C418EEAF0539B
SHA1:	11AF78A611AF5B0FE222FDFC9C0ECFF9D0078171
SHA-256:	6C3A050F2807515EB8762C7DC79547EB8C8F8D90699A2B755EDA007E34403FC1
SHA-512:	03E4CA829399F14EE30541F4E46D475A7FCA81223ACF558208CDF1A52676EFF25514B611B9B79CE6B1407F4B2B5FD6C5E849CF2EDAC8999A5E3975B5B21B2F59
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	TH02...... ...4.........SM01X...,.... ..............IPM.Activity...........h..>r...........h.........FmrH..h........a7.....h^F.w..../G7rH..h.... ....V7r...h.O7r0...`......h.>r.....0z....h...w....e4.....h....@..........h...H..........0....T...............d.........2h.\|>r...........k_.D.....e.....!h.............. h.........0....#h..7r8.........$h@3......8....."h..............'h.\|............1h....<.........0h0!..4........./h\..h....HmrH..h;.>rp.........-h..............+h@3......e7.................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AC750082.dat

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=1404, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=3482], progressive, precision 8, 1500x605, components 3
Category:	dropped
Size (bytes):	311739
Entropy (8bit):	7.950542022316034
Encrypted:	false
SSDEEP:	6144:+HucIZTMMQs03rdyM9jG0y//MthKjHMKzXvCSu6LPmWQ7gAJvJ36RIHyFDlX:+Hu95p0ynMthKTMKz/o6DmF7zJvJ36RP
MD5:	C835CC5EBB3DFFBEEEA5C19DCC3BAB4B
SHA1:	E7A1422F4B8B952325945678B7F41BBE48496C11
SHA-256:	1DE5F68AB47A6ABEF6D3A3FC8B681AC425B8D4E682298EDE9756F7849498507F
SHA-512:	B375DF29F3A54DA67F8BECDB396F4F66D9FD276C53ADE4C36B1F9711DC4CA0C252338796FC89108B51A9151B0F1C137089CEB05AA74B1ACAAF1E8532504E3310
Malicious:	false
Reputation:	low
Preview:	.....LExif..MM.*...........................\|...........................................................................(...........1.....".....2..........i.............$............'.......'.Adobe Photoshop CC 2019 (Windows).2019:05:15 17:19:38.............0221..................................]...............................r...........z.(.........................................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................A...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..T.@.@.#Q..g!..Gh.#...t......k...?...~.....{l\|..-..a.7..7w.=......L.k...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C2CF8DBE-A3F9-4A9D-96B0-EC158C0DA5C3}.tmp

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	1686
Entropy (8bit):	2.0742473593210593
Encrypted:	false
SSDEEP:	12:KRD/UJkaSM1O19mSQVNYDYZ3OMlmlmdbTeFQlNw0fkvDDviN2n:sDIkaSehSAaq3OMQETeFt0fqDDKN2
MD5:	D6FD5A20495711B409BD7E4A8E14F1A1
SHA1:	27BB1641EAAB578908A766B4FDFE939390D612E5
SHA-256:	FA25E32905B07271F7221B7E25CD17293D72848C9E9733846E9CBFA60748C85B
SHA-512:	B92D7903118287BEC2CA48C97A85A78BF6F858946521AB5729FB901DF7AEC769591BD04B6C8EF441B3FB8FF3A278CF5FC57D8A2E26FC19837994D4BC16D50F0D
Malicious:	false
Reputation:	low
Preview:	......P.a.s.s.w.o.r.d. .t.o. .f.i.l.e. .i.s. .. i.n.f.e.c.t.e.d.. ......J.e.s.u.s. .O.l.m.e.d.o...M.i.d.l.a.n.d. .C.o.l.l.e.g.e. .T.C.-.1.0.0...P.C.\.N.e.t.w.o.r.k. .A.s.s.i.s.t.a.n.t. .T.e.c.h............................................................................................................................................................. ...O.f.f.i.c.e.:. .(.4.3.2.). .6.8.5.-.4.7.8.3...................................................................................................................................D...F...H...b.......b...................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8280B2FDC6D618DD.TMP

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.39836834631779766
Encrypted:	false
SSDEEP:	192:kQetK5IrY3H68ctBKNNI3ZwzmainvUgMn4beEwqivcuCAqNgiXHW8AbAZ/:Re0m4hpk3/UgMn4uqi0miXHhM
MD5:	96B2ACB1F8B2B0B175BCBE69B4BE9C2C
SHA1:	E9777AB36427D6A08AE748E471C37C6AA71B4DB3
SHA-256:	F52F44F4396221F1E24FF269D0E564D7A82FD3C07BF4636D2BCD1671F90025F5
SHA-512:	FF303A9197E3172083B77104EF12E59C786D9EEF86C259214B5655D9CC29F9D8046F2686D955ACB837D4C134DBF9F261BBE6D08165BBC54065747341D72C1E52
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\Outlook.srs

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.6697523117186979
Encrypted:	false
SSDEEP:	12:rl3baF4qLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheC5um:rimnq1Py961V
MD5:	B4A39480FB4639B8D1EC08797FDE62E6
SHA1:	FCD6D9B0A6310C6ECA7E83B45E4FF4AAB6B0BF26
SHA-256:	DD64A55757F9CFAA40E285A3CECC1A8F93BBF565652F366DEF7434904DD59A11
SHA-512:	88E6B52091F7B1A498DCD67C2DBF484171104625F6752A91B9766F3CB133999FC778DA3A2D66C37A8E5EED19EB4FE6C65488A0D72B991B3AB4E4434F85FF5643
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	2.8954618442383215
Encrypted:	false
SSDEEP:	3:QVNliGn:Q9rn
MD5:	C4F79900719F08A6F11287E3C7991493
SHA1:	754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
SHA-256:	625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
SHA-512:	0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..p.r.a.t.e.s.h.....

C:\Users\user\Documents\Outlook Files\Outlook.pst

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	1.5239162113577551
Encrypted:	false
SSDEEP:	768:QQxKKOaPV1BZXQkP4eRRRthGPIG/fXDGWhGWiZAfm0zuV4ImQXmwI1Tb:UaPfVyPHISfpmmQA1
MD5:	C9D1F19E90D5ED41F74C5951149BCF8D
SHA1:	BFCA41030C603AF2F608696BD2A9964118E8FE3B
SHA-256:	2E83EFCC0A629BD77209761FEC6036165C8CB716F7C4EB8F68F5116E1F32CA95
SHA-512:	2CC2E3882FAA82B98A51E16904E920C9F94380410A9D6668808DC192DB78B9E30F690BCAD675D02BD1CCA208693A8EE7566578A8DA461F6EF8FCAB1B3CDFF7ED
Malicious:	false
Preview:	!BDN..?SM......\.......................f................@...........@...@...................................@...........................................................................$.......D.......1.......................6...........................................................................................................................................................................................................................................................................................................p:.d......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.7842814080599184
Encrypted:	false
SSDEEP:	192:AnCDSIeozafqewjT+JcKrDDQHK2rz9gHBr0LNFkNFQU8nGLV:AASIeojjTOcKEFgHBriosGp
MD5:	2006E2C1411DF44E74FEFBDB1AE02197
SHA1:	03819483C186103DC08762A864710FEDE2C881B9
SHA-256:	067CB3C687CED36749E78AC0A9C801E710F622CE4366F420BC1D197EFF507339
SHA-512:	1F591FB35E006FC5E4DAF2BF88481735D676091B93AA1233F4AFC0BECB6D4ED72B31D54000E0E4AC1A12E2179DB0B2481830CED0A1614D43124189C26B686EE5
Malicious:	false
Preview:	..TC...B..............\|.....................#.!BDN..?SM......\.......................f................@...........@...@...................................@...........................................................................$.......D.......1.......................6...........................................................................................................................................................................................................................................................................................................p:.d.....\|........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\INF\Outlook\outlperf.h

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	551
Entropy (8bit):	4.697154350883648
Encrypted:	false
SSDEEP:	12:HevrLo2k2/VmkaYyaJ3VUxe4DaPaIdVXN+I1okaDHDaQay/C45jG2DpkZ:gLo2FVDaYNJ3Ko4DaygFN+oFabe1wCQE
MD5:	BC71FF7DA14ECA943FA0AD815F72B8CB
SHA1:	CECCD0CFF2DD12AEDE7DE14457D15D00687165BB
SHA-256:	48E537902C03A3EEE4790FC97EE072CDDC7C1A90122702DD18243D8C12A0D99A
SHA-512:	08CD022D34C1B9B080322C3CFA15CC22E3353D42BA55C729723378DC177E8A0E979C6644BC2F97B2E36CB5E864FA37FF05DA6DBA5794A39380E72182015AB324
Malicious:	false
Preview:	#define OBJECTTYPE 0..#define RPCATTEMPTED 2..#define RPCSUCCEEDED 4..#define RPCFAILED 6..#define RPCCANCEL 8..#define RPCSHOWN 10..#define RPCFOREGROUND 12..#define RPCTIMEAVG 14..#define RPCTIMEAVG10 16..#define RPCTIMEAVG50 18..#define RPCTIMEAVG200 20..#define RPCTIMEMIN 22..#define RPCTIMEMAX 24..#define RPCCONNCOUNT 26..#define RPCSRVOBJCOUNT 28..#define CONTEXTHANDLECOUNTAD 30..#define BINDINGHANDLECOUNTAD 32..#define CONTEXTHANDLECOUNTSTORE 34..#define BINDINGHANDLECOUNTSTORE 36..

C:\Windows\INF\Outlook\outlperf.ini

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	Generic INItialization configuration [languages]
Category:	dropped
Size (bytes):	2695
Entropy (8bit):	5.33674634085226
Encrypted:	false
SSDEEP:	48:mJy8LzDyWt1D6lj50fvikpfNec0v6fevt8rN+rn9pNREVkWVmCU4ah6+65vq+69D:m/LzfzD6t50f1sZ6Wl8RerzEVkWh1am+
MD5:	509A7197AE66401D1DA76F4BAC1DD0A8
SHA1:	A30F0CF0161ADDBDD3B04B482FEF651EE4EAE322
SHA-256:	EE9E288C3495FD548FD49095BE08807F215FC0780064E179011098C0C7461A34
SHA-512:	4041C1073CB15ADA49D284CF612A95502CE74AC1EF69FD1B9DFDF84EDDD074150B6092C8534E49807AD3166F97127477E3497368AE845D369EBBFC2ACFC6C071
Malicious:	false
Preview:	[info]..drivername=Outlook..symbolfile=outlperf.h....[languages]..009=English....[text]..OBJECTTYPE_009_NAME=Outlook..OBJECTTYPE_009_HELP=Gives performance metrics for outlook server connectivity...RPCATTEMPTED_009_NAME=RPCs Attempted..RPCATTEMPTED_009_HELP=Number of RPCs that outlook attempted to send to the server...RPCSUCCEEDED_009_NAME=RPCs Succeeded..RPCSUCCEEDED_009_HELP=Number of RPCs that outlook successfully sent to the server...RPCFAILED_009_NAME=RPCs Failed..RPCFAILED_009_HELP=Number of RPCs that were attempted, but failed...RPCCANCEL_009_NAME=RPCs Cancelled..RPCCANCEL_009_HELP=Number of RPCs that were sent to the server, but the user cancelled...RPCSHOWN_009_NAME=RPCs UI Shown..RPCSHOWN_009_HELP=Number of RPCs that were sent to the server, and took long enough to show progress UI...RPCFOREGROUND_009_NAME=RPCs Attempted - UI..RPCFOREGROUND_009_HELP=Number of RPCs that outlook attempted that blocked the UI...RPCTIMEAVG_009_NAME=Time Avg (all)..RPCTIMEAVG_009_HELP=The average

C:\Windows\SysWOW64\PerfStringBackup.INI

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	856456
Entropy (8bit):	3.424585245442674
Encrypted:	false
SSDEEP:	3072:nJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbO1gK/Spm3PfqKBLamVkqhwxpR8UUUF:C1nqgsp2OtBaiY
MD5:	DCCE5FDA282F7296C105A3873060F7E1
SHA1:	876013B7EB661FF7B33845DBFAD468D70B29EB39
SHA-256:	E2C4415CCAF2F1CCE8448F8EF0B297CE0BDD085FB36072F0E784F403ECC20082
SHA-512:	FEECE5A6337CF404312FA2C4CE55054104A3AF3531A78588A43836B5D4D94620CF3216E672935079D7C5DE4C10A576C54D075D76CA62340C8DD18F88EC6C71F6
Malicious:	false
Preview:	........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.9.3.0.6.....L.a.s.t. .H.e.l.p.=.9.3.0.7.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.9.8.6.....F.i.r.s.t. .H.e.l.p.=.3.9.8.7.....L.a.s.t. .C.o.u.n.t.e.r.=.3.9.9.8.....L.a.s.t. .H.e.l.p.=.3.9.9.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.7.1.4.....F.i.r.s.t. .H.e.l.p.=.3.7.1.5.....L.a.s.t. .C.o.u.n.t.e.r.=.3.7.2.4.....L.a.s.t. .H.e.l.p.=.3.7.2.5.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.4.4.7.2.....F.i.r.s.t. .H.e.l.p.=.4.4.7.3.....L.a.s.t. .C.o.u.n.t.e.r.=.4.4.9.8.....L.a.s.t. .H.e.l.p.=.4.4.9.9.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.9.5.6.....F.i.r.s.t. .H.e.l.p.=.3.9.5.7.....L.a.s.t. .C.o.u.n.t.e.r.=.3.9.8.4.....L.a.s.t. .H.e.l.p.=.3.9.8.5.........[.P.E.R.F._...N.E.T. .

C:\Windows\SysWOW64\PerfStringBackup.TMP

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	856456
Entropy (8bit):	3.424585245442674
Encrypted:	false
SSDEEP:	3072:nJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbO1gK/Spm3PfqKBLamVkqhwxpR8UUUF:C1nqgsp2OtBaiY
MD5:	DCCE5FDA282F7296C105A3873060F7E1
SHA1:	876013B7EB661FF7B33845DBFAD468D70B29EB39
SHA-256:	E2C4415CCAF2F1CCE8448F8EF0B297CE0BDD085FB36072F0E784F403ECC20082
SHA-512:	FEECE5A6337CF404312FA2C4CE55054104A3AF3531A78588A43836B5D4D94620CF3216E672935079D7C5DE4C10A576C54D075D76CA62340C8DD18F88EC6C71F6
Malicious:	false
Preview:	........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.9.3.0.6.....L.a.s.t. .H.e.l.p.=.9.3.0.7.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.9.8.6.....F.i.r.s.t. .H.e.l.p.=.3.9.8.7.....L.a.s.t. .C.o.u.n.t.e.r.=.3.9.9.8.....L.a.s.t. .H.e.l.p.=.3.9.9.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.7.1.4.....F.i.r.s.t. .H.e.l.p.=.3.7.1.5.....L.a.s.t. .C.o.u.n.t.e.r.=.3.7.2.4.....L.a.s.t. .H.e.l.p.=.3.7.2.5.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.4.4.7.2.....F.i.r.s.t. .H.e.l.p.=.4.4.7.3.....L.a.s.t. .C.o.u.n.t.e.r.=.4.4.9.8.....L.a.s.t. .H.e.l.p.=.4.4.9.9.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.3.9.5.6.....F.i.r.s.t. .H.e.l.p.=.3.9.5.7.....L.a.s.t. .C.o.u.n.t.e.r.=.3.9.8.4.....L.a.s.t. .H.e.l.p.=.3.9.8.5.........[.P.E.R.F._...N.E.T. .

C:\Windows\System32\perfc009.dat

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	133672
Entropy (8bit):	3.4045308547957878
Encrypted:	false
SSDEEP:	1536:X1iTIxFbXxIPoO2NAYW22glhzEmhVd0Rev54d:XtxFbXxIPoO2NAYW22glhzEpev54d
MD5:	CD989A7EF2086A5952A945991A8E731D
SHA1:	BF9DBF42367872448D1A8C107C132C5C6355D156
SHA-256:	A9DD4213B016C7C37E18394710657327BB6DD083A6EBF9D97D94A31829A630E1
SHA-512:	EEA18B26AC27C2F03F7FE115439EA4BE713680B58C403ABAD3668ECE50CFE63A730E28AEC2249988237B8133C4BD9C1F17106C7FB004BDA4E0BBB0F7FF94035A
Malicious:	false
Preview:	1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

C:\Windows\System32\perfh009.dat

Process:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	711942
Entropy (8bit):	3.2750038779489223
Encrypted:	false
SSDEEP:	3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHd1zsS3MgjBmbsCJnpEiLxVrFfarYCH6b/o:78M6d0lBb/8c
MD5:	E7524976DB303DF6346CF3024872DD9C
SHA1:	31CAF98E58524AB40F9A786F4504869AFABA1F3A
SHA-256:	2CDA416A24A4B10CC28E873E038CED3207D1EFB4A1D07A4594D5728B48EAE4FD
SHA-512:	D87AB126F26BE07DFF3928D8D1AC2496531410DDFBFA2D7D24A8E53BCF12A95FEE9789C061722414885621277732C1F33540BFE9A75D36DE68D51411ECF176E4
Malicious:	false
Preview:	3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	7.635831907729842
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	a.manasova@mlsp.kg.msg
File size:	430592
MD5:	141b5248e25ba914cf62643f1e37a1be
SHA1:	7506634f2eeafdff86ead03ab276127a3b19fcf3
SHA256:	e873bc60713be05e0d7e32218bba4839f6b09e7f59c5ac5cbc0ef582b666c26f
SHA512:	130c04633841aed460e1f5d310e4b5d755e16910fca9913550fe5beb43b433f60246726c927d91f9ae3e79ff9761b82bce280ebe1ccaef21b8e3c1b7225e2ed7
SSDEEP:	12288:YXiayuVyNbirMHu95p0ynMthKTMKz/o6DmF7zJvJ36RfFDl:TZCRnfjz/SF5J36Rtp
TLSH:	2694F1207AA59B16F6BF4F721CD2C4874111BCC1EE81978BB39E775E2B316C1E86061E
File Content Preview:	........................>................................... ...................\|..............................................................................................................................................................................

Static Mail

General

Subject:	a.manasova@mlsp.kg
From:	Jesus Olmedo <jolmedo@midland.edu>
To:	Security Alerts <security-alerts@dir.texas.gov>
Cc:
BCC:
Date:	Tue, 06 Jun 2023 16:45:16 +0200
Communications:	Password to file is infected Jesus Olmedo Midland College TC-100 PC\Network Assistant Tech Office: (432) 685-4783 This email originated from outside of DIR. Computer viruses can be transmitted via email attachments and links. The recipient should check this email and any attachments for the presence of viruses. Do not click any links or open any attachments unless you recognize the sender and know the content is safe. To report a suspicious email or to verify if an email is legitimate, please save the email as a file and send the file as an attachment to phish@dir.texas.gov.
Attachments:	image001.jpg a.manasova@mlsp.kg.zip

Headers

Key	Value
Received	from SN6PR20MB3566.namprd20.prod.outlook.com
(2603	10b6:300:80::26) with Microsoft SMTP Server (version=TLS1_2,
HTTPS; Tue, 6 Jun 2023 14	46:27 +0000
ARC-Seal	i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
h=From	Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass
by PH0PR09MB11214.namprd09.prod.outlook.com (2603	10b6:510:2c8::20) with
2023 14	45:16 +0000
(2a01	111:f400:7d04::203) by MWHPR09CA0016.outlook.office365.com
Transport; Tue, 6 Jun 2023 14	45:19 +0000
Authentication-Results	spf=pass (sender IP is 40.107.236.41)
Received-SPF	Pass (protection.outlook.com: domain of midland.edu designates
15.20.6477.21 via Frontend Transport; Tue, 6 Jun 2023 14	45:19 +0000
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=midland.edu;
by IA1PR20MB6455.namprd20.prod.outlook.com (2603	10b6:208:44c::7) with
([fe80	:6a9d:eb9c:bff9:8355%7]) with mapi id 15.20.6455.030; Tue, 6 Jun 2023
14	45:16 +0000
From	Jesus Olmedo <jolmedo@midland.edu>
To	Security Alerts <security-alerts@dir.texas.gov>
Subject	a.manasova@mlsp.kg
Thread-Topic	a.manasova@mlsp.kg
Thread-Index	AdmYhXeTz3Yb3LidS+67xVlGq2vFoQ==
Date	Tue, 6 Jun 2023 14:45:16 +0000
Message-ID	<SN6PR20MB3566BC71E1AC98FBA7741F38AD52A@SN6PR20MB3566.namprd20.prod.outlook.com>
Accept-Language	en-US
Content-Language	en-US
X-MS-Has-Attach	yes
X-MS-TNEF-Correlator	Authentication-Results-Original: dkim=none (message not signed)
x-ms-traffictypediagnostic	SN6PR20MB3566:EE_\|IA1PR20MB6455:EE_\|DM3GCC02FT001:EE_\|PH0PR09MB11214:EE_\|SA9PR09MB4637:EE_
X-MS-Office365-Filtering-Correlation-Id	63fdf0ad-bd98-4f0e-17e2-08db669ca675
x-ms-exchange-senderadcheck	1
x-ms-exchange-antispam-relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;
X-Microsoft-Antispam-Message-Info-Original	1BlVMk8obQfad2fDXor+ovQIPYn2UHXxZMbs+J67j8EwndL7cGeeo8sD8sMzZGib8MjrmVmpYBB05k2CcXPQzU//BlgCAdnzGFT/P+VjdXyYREJJmu7jhlocR4sPanZpmlyoJXRcEjQRpTh+nwpor6D7DIaMORlOv9/dIXaLxf7a2aeR546Z4oGks0dDOs2zITE28sN5giLqrAOQ9cdNhcPsyT9Hu3KUqWaXI6q1GPR61V2P70jdszb2NsSLg9zxDqMKXQawD5J7eridaBeFqnw1H9uep8Br0UKpuoyBqrD+YoS8HTxCViqfvXRFL/vsvjXVxIc68Xt+iJbypnqLGpzAFed+vRyl/1YdzJ9wsc6K0IzYnx0J39xEOjVUNZgoparZ5S2qfHKOUthEhNuhZ4uPFYSKypuJvoufTKMXTT9ZvORfajn3akk5A3blBPzMmFyLhQvqocCGPmfvTAeY1Hn9nXdD7DkU7s62ffgVXxFWpGfZKwRZAY2jdtJvxjo3oRMymLD9nvCSw5oP3bMltJCqCOPZAwX/5nIgaPKESoNzq8m26RjvtZ09DqfwIfPB
X-Forefront-Antispam-Report-Untrusted	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR20MB3566.namprd20.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(376002)(396003)(136003)(346002)(39850400004)(366004)(451199021)(2906002)(83380400001)(38070700005)(33656002)(558084003)(40140700001)(86362001)(41320700001)(99936003)(38100700002)(122000001)(75432002)(3480700007)(55016003)(786003)(7696005)(41300700001)(52536014)(5660300002)(316002)(8936002)(8676002)(478600001)(66556008)(64756008)(66446008)(71200400001)(66946007)(76116006)(66476007)(9686003)(6506007)(6916009)(26005)(186003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount	1
X-MS-Exchange-AntiSpam-MessageData-Original-0	=?us-ascii?Q?jySj0YJvpMB8cmkSXZFsn9u/F8YST+0dRLTmm4HgL6JiXtzayEZjSOIy3nRq?=
Content-Type	multipart/mixed;
MIME-Version	1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped	PH0PR09MB11214
Return-Path	jolmedo@midland.edu
X-MS-Exchange-Organization-ExpirationStartTime	06 Jun 2023 14:45:19.6680
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	63fdf0ad-bd98-4f0e-17e2-08db669ca675
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	62e14245-7a83-44a7-97d0-0fc0053368c2:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-Exchange-Transport-CrossTenantHeadersStripped	DM3GCC02FT001.eop-gcc02.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted	DM3GCC02FT001.eop-gcc02.prod.protection.outlook.com
X-MS-PublicTrafficType	Email
X-MS-Exchange-Organization-AuthSource	DM3GCC02FT001.eop-gcc02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Office365-Filtering-Correlation-Id-Prvs	d4706091-c761-43f3-e599-08db669ca49c
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-MS-Exchange-Organization-SCL	-1
X-Microsoft-Antispam	BCL:0;
X-Forefront-Antispam-Report	CIP:40.107.236.41;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:NAM11-BN8-obe.outbound.protection.outlook.com;PTR:mail-bn8nam11on2041.outbound.protection.outlook.com;CAT:NONE;SFS:;DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	06 Jun 2023 14:45:19.5586
X-MS-Exchange-CrossTenant-Network-Message-Id	63fdf0ad-bd98-4f0e-17e2-08db669ca675
X-MS-Exchange-CrossTenant-Id	62e14245-7a83-44a7-97d0-0fc0053368c2
X-MS-Exchange-CrossTenant-AuthSource	DM3GCC02FT001.eop-gcc02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-EndToEndLatency	00:01:08.4595553
X-MS-Exchange-Processed-By-BccFoldering	15.20.6455.026
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097);
X-Microsoft-Antispam-Message-Info	=?us-ascii?Q?daWFskaFiyyoNpBPX6sMsNcj3nZd7hOubuKHjmxrxlGHcMHIzjk3XmmWXz+I?=
date	Tue, 06 Jun 2023 16:45:16 +0200

File Icon


Icon Hash:	deecb9d2afecdebf

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: OUTLOOK.EXEPID: 1304, Parent PID: 3324

General

Target ID:	0
Start time:	17:10:38
Start date:	06/06/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\a.manasova@mlsp.kg.msg
Imagebase:	0x13b0000
File size:	23291112 bytes
MD5 hash:	7DD935BA9B57D9D7EFF63C67653E70B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly