Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nested-Mail delivery failed%3A returning message to sender.eml

Overview

General Information

Sample name:nested-Mail delivery failed%3A returning message to sender.eml
Analysis ID:1545546
MD5:fbf9480ea15fb77b76116d6cb1f30166
SHA1:b555b095845f21e0c86ebd2dfb5490cec64fe697
SHA256:ce8a9bd0080822a855a5126fe9cc9652fa23f77640accbf747188ff6409e5382
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7348 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Mail delivery failed%3A returning message to sender.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7648 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "61DB761E-FD96-418A-AA4C-97B932246A95" "7E9C3EDC-7C20-4F6E-A0E1-FF6D270F0BBE" "7348" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7348, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean1.winEML@3/9@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T1200340314-7348.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Mail delivery failed%3A returning message to sender.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "61DB761E-FD96-418A-AA4C-97B932246A95" "7E9C3EDC-7C20-4F6E-A0E1-FF6D270F0BBE" "7348" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "61DB761E-FD96-418A-AA4C-97B932246A95" "7E9C3EDC-7C20-4F6E-A0E1-FF6D270F0BBE" "7348" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1545546 Sample: nested-Mail delivery failed... Startdate: 30/10/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 49 99 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1545546
Start date and time:2024-10-30 16:59:32 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 17s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:nested-Mail delivery failed%3A returning message to sender.eml
Detection:CLEAN
Classification:clean1.winEML@3/9@0/0
Cookbook Comments:
  • Found application associated with file extension: .eml

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 52.113.194.132, 52.168.117.174
  • Excluded domains from analysis (whitelisted): ecs.office.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, s-0005-office.config.skype.com, onedscolprdeus22.eastus.cloudapp.azure.com, mobile.events.data.microsoft.com, mobile.events.data.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: nested-Mail delivery failed%3A returning message to sender.eml

Simulations

Behavior and APIs

No simulations

LLM Input / Output

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.382516348872134
Encrypted:false
SSDEEP:3072:3pg9kVgFmiGu2+qoQzrt0FvDrCPhI91knR:3Pumi2beCPajkR
MD5:9E192EDF7F287E690B7CCF2777C75523
SHA1:280098ED5A3EB76309092CB6183B0050ED270866
SHA-256:5E108356B81E4F91353044A9DFF8165D7511B3662B1A3387FB06799D62AA4DEF
SHA-512:A477D24D94BE9AC0DC43D15BCC0180A7FBADC694FDC98370A349DBE6026DD608EE406895E9F8B6321FBD6ED2B5205D3169FA931548B6A92ED9EDCAC6E665BD7C
Malicious:false
Reputation:low
Preview:TH02...... .`....*......SM01X...,........*..........IPM.Activity...........h...............h............H..hl.o............h...........H..h\alf ...AppD...h...0....o....h..............h........_`.j...h...@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. h.-.F.....o...#h....8.........$h.......8....."hX.............'h..=...........1h...<.........0h....4.....j../h....h......jH..h.p..p...l.o...-h .........o...+h8.....`.o................. ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.04579732647217531
Encrypted:false
SSDEEP:3:GtlxtjlBHt2Cyo41lxtjlBHt2CywXl1R9//8l1lvlll1lllwlvlllglbelDbllAC:GtRtoRtF9X01PH4l942wU
MD5:FF55385772E53FA26A64DEF984B6EC7D
SHA1:3A7DFF2D1BDC1DF10C21FA2800AEAF0391A0C62F
SHA-256:BAB44A6D038D5FC31ED65EC2585A1E8FD25A38BC1ED4709F90F714EA66B0B557
SHA-512:3465AC7F35EC4FB9C192A0BFFBA6DA7029C7E37E755241AFF46D429865451B3ACA632C614396FF9A94392900CD14AA3A1C09E1D055ACC827FEEA393E40CC44C5
Malicious:false
Reputation:low
Preview:..-.....................B..yb...d.....U...B...Z..-.....................B..yb...d.....U...B...Z........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Write-Ahead Log, version 3007000
Category:modified
Size (bytes):49472
Entropy (8bit):0.48419364216449945
Encrypted:false
SSDEEP:48:GZQ1+Ull7DYMDfzO8VFDYMSpSBO8VFDYML:DTll4ybjVGMjVGC
MD5:8CF01F12669DF7057C1B181C8976E4CF
SHA1:067AE91D4C0525A66DA0E759E5440141E34AC92B
SHA-256:5F8C361E9AA77DEB4EA469122585E414ABA688D315106CDFC5DF79F1153CC644
SHA-512:47654C1CE8542B59034B7EBA88F058224A9A82FD8555AFBB9CF90FB877E4AC817186C27B3E786E4CAA8396751DAB01F26048C490C7F825938322B2808CB59849
Malicious:false
Reputation:low
Preview:7....-...........d.....U[kg%i:...........d.....U....IF.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730304034921231500_DAB0B70B-0E32-4348-A09B-C620491E8F34.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (28785), with CRLF line terminators
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.16092831455602435
Encrypted:false
SSDEEP:1536:daOi4Q5ETm5huW8RF89U+u6S2jDZU+AH7dejiyujogWGmZT103/EeB/:fQuihuFF89U+u6S2Ruqp
MD5:B201DDCE18126A27C21AABD045D942FF
SHA1:93553B6B408E629BD2F0E917675220A0FC9F8073
SHA-256:33797560AE3E9ED8D727501F341DF52C3BCE149201A5B0C2D92536FB3849A531
SHA-512:C8D800B0FC11C13F341BB4159B30111822AB5E52BF474A2EE5C6F0F3A7A9A190068FF4342EE861C85E9FB1350C0A8F6A29CB3611500193A67404154ABB48FCBC
Malicious:false
Reputation:low
Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/30/2024 16:00:34.986.OUTLOOK (0x1CB4).0x1CB8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":20,"Time":"2024-10-30T16:00:34.986Z","Contract":"Office.System.Activity","Activity.CV":"C7ew2jIOSEOgm8YgSR6PNA.4.11","Activity.Duration":17,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/30/2024 16:00:35.017.OUTLOOK (0x1CB4).0x1CB8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":28,"Time":"2024-10-30T16:00:35.017Z","Contract":"Office.System.Activity","Activity.CV":"C7ew2jIOSEOgm8YgSR6PNA.4.12","Activity.Duration":22973,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajor

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730304034922899800_DAB0B70B-0E32-4348-A09B-C620491E8F34.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:false
Reputation:high, very likely benign file
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T1200340314-7348.etl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):110592
Entropy (8bit):4.504562035765375
Encrypted:false
SSDEEP:768:xYnVr0syL3gd4Qe1XE5Lv9+BcyfOV19XyPzNXWrWOoWGWFrrfl:g4QLv9+BcyfQDX0ct
MD5:D667481C96E5BF6E55DB2E6D0C0EB140
SHA1:0FCF276B71D6CA44FAAD3E977660EECC0EE94D45
SHA-256:93B3D858EC07AD06D18F110E02CA32A240D5D7F4C95D05AB2FA65949A6B85E13
SHA-512:C6109EBE3F490A5706D9C2F29DF8BDDF0DB81456D4776F2447831EB419560E40BC422AB9DAE36F097645415113B4CAEF43973864F7AC6C41E98967D4AA3278BB
Malicious:false
Reputation:low
Preview:............................................................................d.............n..*..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................................n..*..........v.2._.O.U.T.L.O.O.K.:.1.c.b.4.:.d.a.2.b.8.7.3.c.8.4.e.1.4.3.7.1.8.a.2.2.d.b.f.4.1.0.8.4.7.4.e.b...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.3.0.T.1.2.0.0.3.4.0.3.1.4.-.7.3.4.8...e.t.l...........P.P.........eHs..*..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:3:/qItt:iIt
MD5:A3935F28CE1FA18C62BC58EA68FECD2C
SHA1:4545E379EA707B1560232876CE09E9362F0F7809
SHA-256:5E4900D1621247B0DF38272438891032A23414626EB49825CAB8B3258110EBA6
SHA-512:766F0839394C71EB9928894AF1899A09FBC7BEE8C5B143774AF05014864DB35BBFAD8AD4109D43CFBBB8F1596AB801E449B89B19E735CBFC64A29F95735BF64C
Malicious:false
Reputation:low
Preview:.....O........................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):2.097862136650733
Encrypted:false
SSDEEP:1536:FTrwAXB8oNYWfc+LHmf0WW53jEpEHP4qQ10PAwrTn0DW53jEpEHP4qQ10PAwr1:FfXkWfcCyp9kip9
MD5:BECD73A61E388BE830848534485E1F0C
SHA1:A44AFECBDBCD563AC1486C3191CCD05C0586D6CD
SHA-256:8EDA3E749309BA0AE7C9C84543A87C5E69E955237B7CF861C07C548CE37B35CF
SHA-512:10081FA554CE353BE9E8A2CED9BA90D9F5D6D16F873384557ABAD9F6D4FCFA46A867AD094C17D1D8196A157F5D4FF4F02B9327E2D0641F95D8018D766115646D
Malicious:false
Reputation:low
Preview:!BDN.V*6SM......\....L..................\................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................L........?..U......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):131072
Entropy (8bit):2.298940064882673
Encrypted:false
SSDEEP:768:oW53amEpAHRHP4qQ10PAwr1VteU5J1ZbGH2uDNrSYT/GhaLeU5J12SOqHP:oW53jEpEHP4qQ10PAwr1C0HY+T0D
MD5:B53C9D4BE87E31734E6E2EC78EDA82FD
SHA1:4133363E78A92A4378689C71626D323A8A77DC22
SHA-256:845B88C268309CF56CBC7ACF707B3B44B0D94AB174D6DB75D1809800D837B499
SHA-512:17AC6402875040B41ED00C6F22204C9C5B84EA5DE4C3955049420278C1CC4BDDAE44B1F7EB0296C0625172A7B7BFD2E4E8A9E4453A4460B58A3ABCFB5089579A
Malicious:false
Reputation:low
Preview:....C...d............H5..*....................#.!BDN.V*6SM......\....L..................\................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................L........?..U...H5..*.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:RFC 822 mail, ASCII text, with CRLF line terminators
Entropy (8bit):5.5596285333416615
TrID:
    File name:nested-Mail delivery failed%3A returning message to sender.eml
    File size:4'177 bytes
    MD5:fbf9480ea15fb77b76116d6cb1f30166
    SHA1:b555b095845f21e0c86ebd2dfb5490cec64fe697
    SHA256:ce8a9bd0080822a855a5126fe9cc9652fa23f77640accbf747188ff6409e5382
    SHA512:5c58e0eb62afe4d981a6093ad9cba81cc8b86b6e266ead22cc87897017a0ab1e52440480526ae7e5e4868f2dcfe5a9e2e683ac5458b68b7091db3a0fb27a1c8d
    SSDEEP:96:6R0RKyUtPxeI01C2jwThj9/CRecgYYIPYIonacgc1:ckU28Th9/CRecWa9w
    TLSH:7981DB15E655112EA6C2D3C6F4107D028270A1C51BFED5E0AEBDC18613D5D8C772FAAF
    File Content Preview:Received: from YT4PR01CA0339.CANPRD01.PROD.OUTLOOK.COM.. (2603:10b6:b01:fc::22) by DS1PR13MB6875.namprd13.prod.outlook.com.. (2603:10b6:8:1e4::17) with Microsoft SMTP Server (version=TLS1_2,.. cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8093.27

    Static Mail

    General

    Subject:Mail delivery failed: returning message to sender
    From:Mail Delivery System <Mailer-Daemon@elysia.server.band>
    To:atendimento@broettoguindastes.com.br, erlo.evandro@gmail.com
    Cc:
    BCC:
    Date:Wed, 30 Oct 2024 11:22:34 -0300
    Communications:
    • This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: erlo.evandro@gmail.com Domain broettoguindastes.com.br has exceeded the max emails per hour (13/10 (130%)) allowed. Message discarded. atendimento@broettoguindastes.com.br Domain broettoguindastes.com.br has exceeded the max emails per hour (13/10 (130%)) allowed. Message discarded.
    Attachments:

      Headers

      Key Value
      Receivedfrom mailnull by elysia.server.band with local (Exim 4.96.2) id 1t69ak-0005bz-19 for jritchie@globeandmail.com; Wed, 30 Oct 2024 11:22:34 -0300
      Authentication-Resultsspf=none (sender IP is 174.138.54.139) smtp.helo=elysia.server.band; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=elysia.server.band;
      Received-SpfNone (protection.outlook.com: elysia.server.band does not designate permitted sender hosts)
      X-Failed-Recipientserlo.evandro@gmail.com, atendimento@broettoguindastes.com.br
      Auto-Submittedauto-replied
      FromMail Delivery System <Mailer-Daemon@elysia.server.band>
      Toatendimento@broettoguindastes.com.br, erlo.evandro@gmail.com
      References<f7420b696dd2d162d4a53f8c7ebda078@broettoguindastes.com.br>
      Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17302990586950.6015384231056544"
      MIME-Version1.0
      SubjectMail delivery failed: returning message to sender
      Message-Id<E1t69ak-0005bz-19@elysia.server.band>
      DateWed, 30 Oct 2024 11:22:34 -0300
      X-AntiabuseSender Address Domain -
      X-Get-Message-Sender-Viaelysia.server.band: sender_ident via received_protocol == local: mailnull/primary_hostname/system user
      X-Authenticated-Senderelysia.server.band: mailnull
      X-Source-Argsphp-fpm: pool broettoguindastes_com_br
      X-Source-Dirbroettoguindastes.com.br:/public_html/web-files/orcamento
      Return-Path<>
      X-Ms-Exchange-Organization-Expirationstarttime30 Oct 2024 14:22:34.7956 (UTC)
      X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
      X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
      X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
      X-Ms-Exchange-Organization-Network-Message-Id5c87e774-91b2-4abe-17cb-08dcf8ee4c6e
      X-Eopattributedmessage0
      X-Eoptenantattributedmessage44376110-425e-46ab-942e-26c9518bfd03:0
      X-Ms-Exchange-Organization-MessagedirectionalityIncoming
      X-Ms-PublictraffictypeEmail
      X-Ms-TraffictypediagnosticYT2PEPF000001CF:EE_|DS1PR13MB6875:EE_
      X-Ms-Exchange-Organization-AuthsourceYT2PEPF000001CF.CANPRD01.PROD.OUTLOOK.COM
      X-Ms-Exchange-Organization-AuthasAnonymous
      X-Ms-Office365-Filtering-Correlation-Id5c87e774-91b2-4abe-17cb-08dcf8ee4c6e
      X-Ms-Exchange-AtpmessagepropertiesSA|SL

      File Icon

      Icon Hash:46070c0a8e0c67d6

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:1
      Start time:12:00:32
      Start date:30/10/2024
      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Mail delivery failed%3A returning message to sender.eml"
      Imagebase:0x7f0000
      File size:34'446'744 bytes
      MD5 hash:91A5292942864110ED734005B7E005C0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:2
      Start time:12:00:36
      Start date:30/10/2024
      Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
      Wow64 process (32bit):false
      Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "61DB761E-FD96-418A-AA4C-97B932246A95" "7E9C3EDC-7C20-4F6E-A0E1-FF6D270F0BBE" "7348" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
      Imagebase:0x7ff79f440000
      File size:710'048 bytes
      MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      Disassembly

      No disassembly