Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nested-FW%3A payment.eml

Overview

General Information

Sample name:nested-FW%3A payment.eml
Analysis ID:1524544
MD5:5f8f0b0e9907ebba6720c25b2382904c
SHA1:84d0ffd0e4274ef1dd297c62e51b7f76bfcfeaa2
SHA256:b7f88f3aa4c7254cb9137193967ca07d2ba4cc99c7e44c91ec21ed5eea70ed31
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Creates a window with clipboard capturing capabilities
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Use Short Name Path in Command Line

Classification

Process Tree

  • System is w7x64
  • OUTLOOK.EXE (PID: 3284 cmdline: "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-FW%3A payment.eml" MD5: 4EB384BD3A1D26B94A44327818685F54)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 8.8.8.8, DestinationIsIpv6: false, DestinationPort: 53, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE, Initiated: true, ProcessId: 3284, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 54562
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-FW%3A payment.eml", CommandLine: "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-FW%3A payment.eml", CommandLine|base64offset|contains: , Image: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE, NewProcessName: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE, OriginalFileName: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-FW%3A payment.eml", ProcessId: 3284, ProcessName: OUTLOOK.EXE
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE, ProcessId: 3284, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0C98E726-7671-4943-B9C9-067EE3A43554}.tmpJump to behavior
Source: global trafficDNS traffic detected: DNS query: config.messenger.msn.com
Source: nested-FW%3A payment.emlString found in binary or memory: https://srfed-my.sharepoint.com/:f:/p/paul_scace/EtC5e2XquN9Fp0K3Sw7IAUsB1=
Source: ~WRS{0C98E726-7671-4943-B9C9-067EE3A43554}.tmp.0.drString found in binary or memory: https://srfed-my.sharepoint.com/:f:/p/paul_scace/EtC5e2XquN9Fp0K3Sw7IAUsB1jH11BqdCOET9BKLSlV1Tw?e=jP
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Source: classification engineClassification label: clean1.winEML@1/11@1/0
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8610.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEWindow detected: Number of UI elements: 15
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguagesJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading		OS Credential Dumping1
File and Directory Discovery		Remote Services1
Clipboard Data		1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
Remote System Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
config.messenger.msn.com
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://srfed-my.sharepoint.com/:f:/p/paul_scace/EtC5e2XquN9Fp0K3Sw7IAUsB1=nested-FW%3A payment.emlfalse
      		unknown
      https://srfed-my.sharepoint.com/:f:/p/paul_scace/EtC5e2XquN9Fp0K3Sw7IAUsB1jH11BqdCOET9BKLSlV1Tw?e=jP~WRS{0C98E726-7671-4943-B9C9-067EE3A43554}.tmp.0.drfalse
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1524544
        Start date and time:2024-10-03 00:01:19 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 3m 58s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
        Number of analysed new started processes analysed:5
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:nested-FW%3A payment.eml
        Detection:CLEAN
        Classification:clean1.winEML@1/11@1/0
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .eml

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
        • Excluded IPs from analysis (whitelisted): 64.4.26.155
        • Excluded domains from analysis (whitelisted): config.messenger.msnmessenger.msn.com.akadns.net
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtSetValueKey calls found.
        • VT rate limit hit for: nested-FW%3A payment.eml

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\FORMS\FRMDATA64.DAT

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:data
        Category:dropped
        Size (bytes):239628
        Entropy (8bit):4.258523748139207
        Encrypted:false
        SSDEEP:1536:wYLSgsdHmiOgs5NcAz79ysQqt2XqoQyrcm0Fvfyp3xe6yAc39uEuL:zSg9iOg+miGu2XqoQyrt0Fvqphe6L+a
        MD5:CE1E2BF84590B058CB239E5FC28EE42E
        SHA1:E66677F634CA524E3CE8963A7D84EDFEA890C34E
        SHA-256:355843696F3CB150CB830492B1BB6953878D6AC4AE70BA06603D5D64DA1102C0
        SHA-512:7E426C6B67E9BA93ADC02F6D0D7D11A3533CFDB68FF106DB46DDCE46826A40D799B8E2C7FCBC45FF8CCD5D6461D1081B14CB56163235988F694FD1BAFF2294C6
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview:TH02...... ...#..3......SM01(............3..........IPM.Activity...........h.......................h....................H..h.......................h....................H..h.... ..................h....0..................h......O.....yT.........h.......................h....@........p.........h....H..................0....T.......................d.................2h.... ..................k0.3.........T.I.V.I...!h.3.................... h.............!........#h....8.................$h............<........."h......................'h..............O.......1h....<.................0hta\M8.......*...3..../h....l...............H..h....p.................-h......................+h............Z...3..........DH..www. ..............F7..............FIPM.Activity.ww.Form....Standard..p.Journal Entry.p.IPM.Microsoft.FolderDesign.FormsDescription................F.k..........i.c.1122110020000000..p.Microsoft...This form is used to create journal entries.......p.kf...... ..........&...........(.......(...

        C:\Users\user\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_C164271868E29D47BDEA29AB4D73CA8B.dat

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):588
        Entropy (8bit):5.283783007941164
        Encrypted:false
        SSDEEP:12:TMG8ORCxXmHKAlN3AoQME5LAGtWuY4A2eqiAoQME5XAoQME5mAlNcdqzASAAc+Sc:3PQRmHKAlN3AT5AG9Y4A1ATxATIAlN02
        MD5:E059A0413C05A7539F3C7946435AE633
        SHA1:215A7015B625729123FB9DFF3A91BF72BCCB88F7
        SHA-256:84F1A732EFEFB64300D3D715FC6CB8C5D9C357CFDD15CB6C27FB772128202537
        SHA-512:96463DD76A367EB7247B7D76A66D6E8F4A157F2EE58AA7AF90D5185BDCCBA50E126ADFAB9CB13F8A0D4D8EC90FF107ACB6209D9CFE283A98998C2C0E98501A58
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview:<?xml version="1.0"?>..<UserConfiguration>...<Info version="Outlook.14"/>...<Data>....<e k="18-piAutoProcess" v="3-True"/>....<e k="18-piRemindDefault" v="9-15"/>....<e k="18-piGroupCalendarShowMyDepartment" v="3-True"/>....<e k="18-piShowWorkHourOnly" v="9-1"/>....<e k="18-piAutoDeleteReceipts" v="3-False"/>....<e k="18-piGroupCalendarShowDirectReports" v="3-True"/>....<e k="18-piGroupCalendarShowCoworkers" v="3-True"/>....<e k="18-piReminderUpgradeTime" v="9-221520045"/>....<e k="18-piShowFreeItems" v="9-0"/>....<e k="18-OLPrefsVersion" v="9-1"/>...</Data>..</UserConfiguration>..

        C:\Users\user\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_250D2E3C8794BC4E95FB6A4333D8D9DC.dat

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):261
        Entropy (8bit):5.153532784897173
        Encrypted:false
        SSDEEP:6:TMV08OLWYR9OeAivsNR89LREGQPjprARcHZfdMARac+gKsjv06m:TMG8ORCxXCpiGQPj9A6xiAAc+Sj86m
        MD5:9582984B137701598BAC91FFB5B86FED
        SHA1:16373CF4B0BDEE47D85BA39981B9A9499E59D34E
        SHA-256:9F5BE8ABA6283365BA05FAF08B54A7196E64B2146986D00BAED2FBDA8CF6482B
        SHA-512:3EE86CA79F4BE623D2554A5232C8D5D5631D42540AB3FF55F59F3B3E62D6AF7955254C7B81676FBFA9C121F491198E496587F02E576A6F9E8EF54EED870D7083
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview:<?xml version="1.0"?>..<UserConfiguration>...<Info version="Outlook.14"/>...<Data>....<e k="18-piCreateContactsForOneOffs" v="3-True"/>....<e k="18-piImportedContactNickNames" v="3-False"/>....<e k="18-OLPrefsVersion" v="9-1"/>...</Data>..</UserConfiguration>..

        C:\Users\user\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_614BC982876BD14E82F4092077D7C625.dat

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):267
        Entropy (8bit):5.160869873037959
        Encrypted:false
        SSDEEP:6:TMV08OLWYR9OeAivsNRRM2fOgLs4ARUQMdMhUvARac+gKsjv06m:TMG8ORCxXW4AOQM5AAc+Sj86m
        MD5:57F30B1BCA811C2FCB81F4C13F6A927B
        SHA1:FE5ADC0968CF5727AE2D77FD57F39E552319C8E8
        SHA-256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3
        SHA-512:B195EF2F93C34581B867BF6598133A0A5A4101EAED64FAE1FBCE34BF3067C0D313CD700E36F82C84E37522E3D43E179671A8D602E8452441BB35DAEA833D5036
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview:<?xml version="1.0"?>..<UserConfiguration>...<Info version="Outlook.14"/>...<Data>....<e k="18-piConversationsOnInAllFoldersChangeNumber" v="9-1"/>....<e k="18-piUpgradeToConversations" v="9-2"/>....<e k="18-OLPrefsVersion" v="9-1"/>...</Data>..</UserConfiguration>..

        C:\Users\user\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_DE059256C55A1A4A853D9F1B8B61224D.dat

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):204
        Entropy (8bit):5.146779630782915
        Encrypted:false
        SSDEEP:6:TMV08OLWYR9OeAivsNRKQKSBCKoUprARac+gKsjv06m:TMG8ORCxXoQrBCOAAc+Sj86m
        MD5:F194B1FA12F9B6F46A47391FAE8BEEC2
        SHA1:A98AA68D6755CEF50B9AAF0B8ACFF6266BC49493
        SHA-256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74
        SHA-512:8368579F03759BCE44313D33B5E877343D282C3F9938BE49343C46A529C6DF464DB0EA462753DD542DF760EF2F943A29562FDCE42C5AB5D411BD0A8CF85DA488
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview:<?xml version="1.0"?>..<UserConfiguration>...<Info version="Outlook.14"/>...<Data>....<e k="18-piGroupExpandAnimations" v="3-True"/>....<e k="18-OLPrefsVersion" v="9-1"/>...</Data>..</UserConfiguration>..

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\901EE597.dat

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:PNG image data, 519 x 223, 8-bit/color RGBA, non-interlaced
        Category:dropped
        Size (bytes):7186
        Entropy (8bit):7.654441639555211
        Encrypted:false
        SSDEEP:192:v44AgZEknqHVHEDXvlWWW0oqiXHJWWontkZm:vzAhVHEbvlWWW0oqiXHJWWktkZm
        MD5:B7A10E3C1A0B57A0F176148B01C85C2E
        SHA1:1C0DC3E517845089B7017CC2CBF2AB3F5C666071
        SHA-256:C87B50239968BD8BCBA1DC27F042496A9A585C04E3EA01315871E88EF0A4E152
        SHA-512:89C92167E13C0787E1814B0968F3E89C3C9F978BA8C7314B896457E06A8AF4F99DFB35E61A7A7268C99B9DD6F2FB8F99AE18AB424F88D610A78F8176F483BE97
        Malicious:false
        Preview:.PNG........IHDR.............bSpP....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.._.lgy.qoz.S..H.*.X..j...R{..x.X#.(J.6.....H.o.E..#Q.P.n.^.l...... rD.....4....!...:......y.]kf......|..pf...93.3k.g........-......eA.....P.........%(...@-.JP....Z...8....,(Aq...jYP.............eA.....P.........%(...@-.JP....Z.......~......?y.k......^..8+....}b.Hq._?.qw...In...g?.Y......o{.^.4.zS..1.].xG.......>.{.._8.u...TZ......9.z:.k..8.b..8PBT.ur....G...LX...z........7?....:..O.j.'|....m.j............kI..E;..Ac.*.z.n..w..vw..w.......?[s.H.z.c..........=.....p.U.c.._............~.Sa.}......e...-Pap..~.{?...~]..........u.......I....dX.....qKN.8.1...?.U......_........:.......!.)).8..NX*....{.....c..K_.^..W.....^.}...........?...k_...;.Y.:C..........y..?...o.>....v...7....G.......w?..O../~.K.~.3.I}.......<...^.u..........^......|.......{..~......w.D.....3........<...f*......y.v....F.H.J.N...H.g.....s"........M.>J"/..~.g...7(.^.[:...._k..

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0C98E726-7671-4943-B9C9-067EE3A43554}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:data
        Category:dropped
        Size (bytes):1024
        Entropy (8bit):2.5424596564286817
        Encrypted:false
        SSDEEP:12:DLqBmQElpyklvW1TK0sO0BZ6aiSARf2mNw0fkQK1bN2vUnvYjlvYC:DLqBtMpy+OKD/cfu0fzKhNWugjlgC
        MD5:3E9402A4E29ADF43011C5F3FF8DB7868
        SHA1:FE875EFB109C5CDDD2BE31FBB71DEB3502FEAE97
        SHA-256:6C28376E621A068809FB9C978D2084633D74098C3B94D555B8BA3A61C354244C
        SHA-512:8E4A917FBD617455573903336A5E3A9E1BA10DC39F850491CC4E881C40B811A41B41EB33E8BA659C240AEDFAF6A87B19C97735E2DD27FC7CE58F60CE8C89FE73
        Malicious:false
        Preview:H.Y.P.E.R.L.I.N.K. .".h.t.t.p.s.:././.s.r.f.e.d.-.m.y...s.h.a.r.e.p.o.i.n.t...c.o.m./.:.f.:./.p./.p.a.u.l._.s.c.a.c.e./.E.t.C.5.e.2.X.q.u.N.9.F.p.0.K.3.S.w.7.I.A.U.s.B.1.j.H.1.1.B.q.d.C.O.E.T.9.B.K.L.S.l.V.1.T.w.?.e.=.j.P.S.k.P.9."... . .....I.N.C.L.U.D.E.P.I.C.T.U.R.E. .".c.i.d.:.i.m.a.g.e.0.0.1...p.n.g.@.0.1.D.B.1.4.D.9...D.7.F.C.8.1.7.0.". .\.*. .M.E.R.G.E.F.O.R.M.A.T.I.N.E.T... . .................................................................................................................................................~...................................................................................................................................................................................................................................................................................................................................................................................................1.j....B*.U..fH..mH..nH..ph....q............u...(.(B*.fH..mH..nH..ph....q.......

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4754ED9B-5C17-43EF-BD57-96744A09B729}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:PNG image data, 16 x 16, 8-bit/color RGB, non-interlaced
        Category:dropped
        Size (bytes):605
        Entropy (8bit):7.435048064793928
        Encrypted:false
        SSDEEP:12:6v/7uNpsb/ZJZP6pZVS2vW77X3wq2A5QLciaL9OykYdHMXWO5e5dzJZgR2:nTKPqS2vuX/MvmEyXWF0RQs
        MD5:4C61C12EDBC453D7AE184976E95258E1
        SHA1:87C1B3E9B6A11579F89CF92C0DB811E22840A3C2
        SHA-256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
        SHA-512:2258C757257C79F211535114806CEEADDBE13834F443D9FFBADBA049480CFAED6498C7F5557444759DCBB9CACCEB69BDBC05B5A544854087888086AF91E7F1AE
        Malicious:false
        Preview:.PNG........IHDR...............h6....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O...KSa......4....6...[.l2..M7-....M.RRP.A..%..X[43..r..5C+...k.r]D.E.EO..D.=<W..<...&<..xC...a......R=.;'.S;E.LZO...>._.~..K....n.SqR...f...V.....L....V]..S.j..m.u..HZ..2FB.~|..Ob],..0P8..9J..A+.A.;......a.[.. .%.!3..,..,.c.O.. ...F....:..$...>i,yH.Y.5..jV.$4<.Q.M...q.!Au.h/./..nv^...g-..P3gaFG.......I.......%..d{....l.;..|..#...._ .G..].;..A.%..)....D.J..$2$.....%..x.!X.eZ..~#..A.,..kf. /..E.Z%....M>.D.q.0.......#....n....._...VI..I.<z.xMJ...t.2..Y..d...?$=&...G..M.....+%....IEND.B`.

        C:\Users\user\AppData\Roaming\Microsoft\Outlook\Outlook.srs

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):16384
        Entropy (8bit):0.6697141597486581
        Encrypted:false
        SSDEEP:12:rl3baFaVqLKeTy2MyheC8T23BMyhe+S7wzQD19zNMyhe+S7xMyheCn90m:romnq1Pk961F
        MD5:7CCEAB209E6B24B8965F7AA5DD8D54FD
        SHA1:DFE92CD93ED9E105D6341DD6B4D199B6760BEEBA
        SHA-256:3508389D54C37E2D65F09E7D8BC20D04B696DADED43DDC3E97B12623721DA3E8
        SHA-512:1AFB12CBA058DEBEE37340C6DA1D446872337C85C1D1B638FF23AA0AF578C97D556684C2724F329ADE92629551BD71B9674F198CB5CF52B5A608D0376DF626DD
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\Documents\Outlook Files\Outlook.pst

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:Microsoft Outlook email folder (>=2003)
        Category:dropped
        Size (bytes):271360
        Entropy (8bit):1.3413966937936947
        Encrypted:false
        SSDEEP:768:CpGjJYisqeSYgRHH9cbXV5c6FlR6Qhzlu9pGBF6F7:dJ58SYeHHenc6FX6qoCAF
        MD5:9184F736B257CE0B0BFF808054CF3C12
        SHA1:AA0A2F0C5A00B5C29FAC5EC28CF1AABC9A271D76
        SHA-256:98A38299425E5CC6A25ADD3B814841A14540B508409FC1999A668C405A6C0025
        SHA-512:E38585026D9A4A011CD26FAC109B700507D931476CFADEA772C9CF24BCC12878079E6AA8ABE37A18CBA6FA6EA12A62E4C62264CFEFCEFE766297DA350E8640ED
        Malicious:false
        Preview:!BDN.:.#SM......`.......................h................@...........@...@...................................@...........................................................................$.......D.......>..........................................................................................................................................................................................................................................................................................................................,........0.^.Q.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:FCD6BCB56C1689FCEF28B57C22475BAD
        SHA1:1ADC95BEBE9EEA8C112D40CD04AB7A8D75C4F961
        SHA-256:DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31
        SHA-512:73E4153936DAB198397B74EE9EFC26093DDA721EAAB2F8D92786891153B45B04265A161B169C988EDB0DB2C53124607B6EAAA816559C5CE54F3DBC9FA6A7A4B2
        Malicious:false
        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        Static File Info

        General

        File type:HTML document, ASCII text, with CRLF line terminators
        Entropy (8bit):5.6728122325946595
        TrID:
          File name:nested-FW%3A payment.eml
          File size:57'956 bytes
          MD5:5f8f0b0e9907ebba6720c25b2382904c
          SHA1:84d0ffd0e4274ef1dd297c62e51b7f76bfcfeaa2
          SHA256:b7f88f3aa4c7254cb9137193967ca07d2ba4cc99c7e44c91ec21ed5eea70ed31
          SHA512:1e1962c67055480e22420057e137058604b9d08ae2aaca1362eb4b460574bbbda1d11094354eeafe0ffc1452934cefcd4d1500d8f86f6c5b589c762cda34cf8e
          SSDEEP:768:l88HV5L5ttFtAYcBMrCeSWNecFIreilVq1:+2tNcBMrCeSWNecFu6
          TLSH:7143BF8CE9108D8B33B3A2F9623454F41B77967CC0090497F0EAF26D7D86C66E6D2267
          File Content Preview:Subject: FW: payment..Thread-Topic: payment..Thread-Index: AdsU+/51qcjypk/uSIKLdIowLZUbigAAQYxg..Content-Language: en-US..X-MS-Has-Attach: yes..X-MS-TNEF-Correlator: ..X-MS-Exchange-Organization-RecordReviewCfmType: 0..Content-Type: multipart/related;...t

          Static Mail

          General

          Subject:FW: payment
          From:
          To:
          Cc:
          BCC:
          Date:
          Communications:
          • <https://srfed-my.sharepoint.com/:f:/p/paul_scace/EtC5e2XquN9Fp0K3Sw7IAUsB1jH11BqdCOET9BKLSlV1Tw?e=jPSkP9> Thanks! Lorraine Lorraine Roy | Jr. Proposal Coordinator BArchSc ERA 625 Church St, Suite 600 Toronto, ON M4Y 2G1 T 647.373.5795 F 416.963.8762 E LorraineR@eraarch.ca<mailto:LorraineR@eraarch.ca>
          Attachments:
          • image001.png

          Headers

          Key Value
          SubjectFW: payment
          Thread-Topicpayment
          Thread-IndexAdsU+/51qcjypk/uSIKLdIowLZUbigAAQYxg
          Content-Languageen-US
          X-MS-Has-Attachyes
          X-MS-TNEF-Correlator
          X-MS-Exchange-Organization-RecordReviewCfmType0
          Content-Typemultipart/related; type="multipart/alternative"; boundary="_004_8067807165766670777970657977696673766674677780787368756_"
          MIME-Version1.0

          File Icon

          Icon Hash:72cf97d7cfab80d5

          Network Behavior

          Network Port Distribution

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 3, 2024 00:02:20.248277903 CEST5456253192.168.2.228.8.8.8

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Oct 3, 2024 00:02:20.248277903 CEST192.168.2.228.8.8.80xfda3Standard query (0)config.messenger.msn.comA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Oct 3, 2024 00:02:20.267719030 CEST8.8.8.8192.168.2.220xfda3No error (0)config.messenger.msn.comconfig.messenger.msnmessenger.msn.com.akadns.netCNAME (Canonical name)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          System Behavior

          General

          Target ID:0
          Start time:18:02:12
          Start date:02/10/2024
          Path:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
          Wow64 process (32bit):false
          Commandline:"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-FW%3A payment.eml"
          Imagebase:0x13fab0000
          File size:24'496'480 bytes
          MD5 hash:4EB384BD3A1D26B94A44327818685F54
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:false

          Disassembly

          No disassembly