Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
test.eml

Overview

General Information

Sample name:test.eml
Analysis ID:1672199
MD5:70d4e5c45d8bae95ac55d31582053407
SHA1:12d31eb52286e5033c65b2d943aa37791d28fb4a
SHA256:a4dfbc096eacc7290df32783a974c3f26f9f059320f4dc40c64ae8bc8b1f7532
Infos:

Detection

Score:20
Range:0 - 100
Confidence:80%

Signatures

AI detected suspicious elements in Email content
Queries the volume information (name, serial number etc) of a device

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 8000 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\test.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7748 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3A25069F-5E80-487A-A69E-7E66DBDD27B8" "20746A41-D4B8-4E16-8D99-B564C37B45FC" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 8000, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: test.emlJoe Sandbox AI: Detected potential phishing email: Email contains only numbers with no context or proper message formatting. Suspicious communication pattern with multiple empty lines and isolated numbers. From address using generic 'ceo@example.com' targeting accounting department is a common phishing tactic
Source: EmailClassification: Payroll Fraud
Source: classification engineClassification label: sus20.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250423T1117160419-8000.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\test.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3A25069F-5E80-487A-A69E-7E66DBDD27B8" "20746A41-D4B8-4E16-8D99-B564C37B45FC" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3A25069F-5E80-487A-A69E-7E66DBDD27B8" "20746A41-D4B8-4E16-8D99-B564C37B45FC" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1672199 Sample: test.eml Startdate: 23/04/2025 Architecture: WINDOWS Score: 20 13 AI detected suspicious elements in Email content 2->13 6 OUTLOOK.EXE 47 60 2->6         started        process3 file4 11 C:\...\~Outlook Data File - NoEmail.pst.tmp, COM 6->11 dropped 9 ai.exe 6->9         started        process5

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-dc-msedge.net
52.123.131.14
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1672199
    Start date and time:2025-04-23 17:16:06 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 16s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:17
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:test.eml
    Detection:SUS
    Classification:sus20.winEML@3/3@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .eml
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 52.109.20.38, 51.116.246.104, 52.168.117.174, 184.29.183.29, 52.123.131.14, 131.253.33.254, 204.79.197.222, 4.175.87.197
    • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fp.msedge.net, ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, scus-azsc-config.officeapps.live.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedscolprdgwc00.germanywestcentral.cloudapp.azure.com, dual-s-0005-office.config.skype.com, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, onedscolprdeus22.eastus.cloudapp.azure.com, mobile.events.data.trafficmanager.net
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-0005.dual-s-dc-msedge.netMessage.emlGet hashmaliciousUnknownBrowse
    • 52.123.131.14
    phish_alert_sp2_2.0.0.0 - 2025-04-22T143026.727.emlGet hashmaliciousUnknownBrowse
    • 52.123.131.14
    CNjHXThF.emlGet hashmaliciousHTMLPhisher, Invisible JSBrowse
    • 52.123.131.14
    Evidence of Insurance-1.msgGet hashmaliciousUnknownBrowse
    • 52.123.130.14
    phish_alert_sp2_2.0.0.0 (6).emlGet hashmaliciousUnknownBrowse
    • 52.123.131.14
    Newsletter (276Ko).msgGet hashmaliciousUnknownBrowse
    • 52.123.131.14
    REIT Financial Statements Tool v2.0.1.10 Master.xlsmGet hashmaliciousUnknownBrowse
    • 52.123.131.14
    7 copy2.xlsmGet hashmaliciousUnknownBrowse
    • 52.123.130.14
    REIT Financial Statements Tool v2.0.1.10 Master.xlsmGet hashmaliciousUnknownBrowse
    • 52.123.130.14
    Doc_76564556787900875687.xlam.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.130.14

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250423T1117160419-8000.etl

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):106496
    Entropy (8bit):4.498529521755445
    Encrypted:false
    SSDEEP:1536:iz4B19GbGagrJQnbkx/Bec9aXBzQOUV/sGEI2uoc33i2wl8Pho0ONy:iz4B14bGEXK
    MD5:272586063CEAE752CDDCF2A606195F05
    SHA1:558150749ABAF6C0CFEE3C500E17DDC1BE674F33
    SHA-256:A2A28221B1E977B5D79F3C32F53D25846DE7C4267AEE29F8012AE6435A705A6F
    SHA-512:A1E97F697DFBCDCCEEFA9EA37E8C712BD45AC538FD9478A1835C98CFB02ED0C632E68B680D8F2832CF9CF12A44B6CE613CFDB9CA3546D8B1676230665D5C3554
    Malicious:false
    Reputation:low
    Preview:............................................................................b...D...@....dA.b...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................p..;............dA.b...........v.2._.O.U.T.L.O.O.K.:.1.f.4.0.:.c.6.f.c.4.3.5.f.4.1.4.a.4.e.4.a.9.d.6.8.d.b.6.d.2.7.c.a.8.8.a.5...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.4.2.3.T.1.1.1.7.1.6.0.4.1.9.-.8.0.0.0...e.t.l.............P.P.D...@... .C.b...................................................................................................................................................................................................................................................................................................

    C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Microsoft Outlook email folder (>=2003)
    Category:dropped
    Size (bytes):271360
    Entropy (8bit):1.8651115350491194
    Encrypted:false
    SSDEEP:1536:aoYuH48c5kgc5OgAonQZyvZDEglm8KcF8KcHtZ04iW53jEpEHP4qQ10PAwrha7Xv:aohBiAp9Oo7Ep9
    MD5:DAB397B423721263E082FFCD36118597
    SHA1:73F1E5E36EE8807D7293CE35D11861877C2A6CCA
    SHA-256:11C4BD8F6EBBECACDE80442C243D17EB1F1999C3F0C83E0AF14D21C1C7553FCA
    SHA-512:CB81C253A2A8BCCE1AE96CDAB0AB07F8ABE8D0217EF7410FE3E9A6832F176CDBF2BCBA86D34DFDA126E2ED302043FF8DD1D6D6E42826E9876F2EF8153EABD10D
    Malicious:false
    Reputation:low
    Preview:!BDN..Z.SM......\.......................Y................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................8.........Wh..'.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:COM executable for DOS
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):1.6130847727430702
    Encrypted:false
    SSDEEP:1536:uDW53jEpEHP4qQ10PAwr1b/E7RH8KcBQZUZ:u1p92pZ
    MD5:0EEBBAF1E33E12B2E2BAA178010E4CCC
    SHA1:0DA6C11729EC57291D6C69C70E5A081216C3CB25
    SHA-256:27A351A17B479C9A584782BBFB96B27BC03B27B5745DB1A274A174DA556072BC
    SHA-512:4DAFA90B929D7D1BC558F06030833D458D652F409853C38D5B12B9F253A2C67C1A38A0341BBE7AE14B51F96D22676446DFF5CFE41064E21FB43938C4CDE00EE5
    Malicious:false
    Reputation:low
    Preview:....C...c.......@......b.....................#.!BDN..Z.SM......\.......................Y................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................8.........Wh..'....b........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:news or mail, Unicode text, UTF-8 text, with CRLF line terminators
    Entropy (8bit):5.768837429590751
    TrID:
      File name:test.eml
      File size:756 bytes
      MD5:70d4e5c45d8bae95ac55d31582053407
      SHA1:12d31eb52286e5033c65b2d943aa37791d28fb4a
      SHA256:a4dfbc096eacc7290df32783a974c3f26f9f059320f4dc40c64ae8bc8b1f7532
      SHA512:4bea578857937b2564822e37ca3d1ba0b17fa3b84fe9805f8111de4baed3d99f27c58f670cc21fddab9cce86b4f0939335a35e7ca4bfb13d326fd52e29bbf39c
      SSDEEP:12:GLvat7g/rdqSbHwD2zGnFppCO/JJQDdrzU9TSXpoCGutGGpJzbGz9xpjNLfbGzRL:SvahUdqScyzwciJwrzU9TkGCGu0GpJz5
      TLSH:7201158DD68FB024EE43676254D8BA44E02C35D79B81B378893DC227FC2068AE883C74
      File Content Preview:From: ceo@example.com..To: accounting@example.com..Subject: ...................................................................................................................................................................................................

      Static Mail

      General

      Subject:
      From:ceo@example.com
      To:accounting@example.com
      Cc:
      BCC:
      Date:
      Communications:
      • - 4,850,000 - - - 1234567 -
      Attachments:
        Key Value
        Fromceo@example.com
        Toaccounting@example.com
        Subject

        File Icon

        Icon Hash:46070c0a8e0c67d6

        Network Behavior

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Apr 23, 2025 17:17:19.586771965 CEST1.1.1.1192.168.2.40x767dNo error (0)ecs-office.s-0005.dual-s-msedge.netshed.s-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
        Apr 23, 2025 17:17:19.586771965 CEST1.1.1.1192.168.2.40x767dNo error (0)shed.s-0005.dual-s-dc-msedge.nets-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
        Apr 23, 2025 17:17:19.586771965 CEST1.1.1.1192.168.2.40x767dNo error (0)s-0005.dual-s-dc-msedge.net52.123.131.14A (IP address)IN (0x0001)false
        Apr 23, 2025 17:17:19.586771965 CEST1.1.1.1192.168.2.40x767dNo error (0)s-0005.dual-s-dc-msedge.net52.123.130.14A (IP address)IN (0x0001)false

        Statistics

        CPU Usage

        050100s020406080100

        Click to jump to process

        Memory Usage

        050100s0.0050100MB

        Click to jump to process

        High Level Behavior Distribution

        • File
        • Registry

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:11:17:12
        Start date:23/04/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\test.eml"
        Imagebase:0xd40000
        File size:34'446'744 bytes
        MD5 hash:91A5292942864110ED734005B7E005C0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        Show Windows behavior

        File Activities

        Show Windows behavior

        Section Activities

        Show Windows behavior

        Registry Activities

        Show Windows behavior

        COM Activities

        Show Windows behavior

        Mutex Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Thread Activities

        Show Windows behavior

        Memory Activities

        Show Windows behavior

        System Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Windows UI Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:5
        Start time:11:17:18
        Start date:23/04/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3A25069F-5E80-487A-A69E-7E66DBDD27B8" "20746A41-D4B8-4E16-8D99-B564C37B45FC" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
        Imagebase:0x7ff687260000
        File size:710'048 bytes
        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Section Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Mutex Activities

        Show Windows behavior

        Process Activities

        Show Windows behavior

        Thread Activities

        Show Windows behavior

        Memory Activities

        Show Windows behavior

        System Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Disassembly

        No disassembly