OUTLOOK.EXE

  • File Path: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
  • Description: Microsoft Outlook

Hashes

Type Hash
MD5 5E6B9FCA30B926586EFD0BFFA963A4BE
SHA1 B47DE31A3EE68461C7CE6E75E8514E5D1BEF9BC1
SHA256 326F909470F562F20F0E66FEFE8C9936C0CF0269D0C87D107120C5E2AC06B9B5
SHA384 49A7AF8B6646B5CA44494C83C4803B29458189739B8AC90814B834129952975885290873FAEBE0C10406AC51247154B2
SHA512 8468ADC2FB4D1D3A884488EB76D13FFA5B6A9CB99F20E38C4D956AB5516EE632E2125395E4477108703846DDE037B86EAC90B9C6613DC08BEB0F039FCB188B57
SSDEEP 786432:agRUVSZZ1lewuGwZ2amSD85DSarzss+lrc:B3Z1leFGwZLBDGDSarzshlr
IMP DCE161AA8668D2230D23AD0E9098CC50
PESHA1 5AA8C97D659884A751F147FDA42926816DFC9EE5
PE256 4BE5F27567FCFE959C3F605B4E8CAC8BED4E5C5F6617D0D15B4B21A92F9A27F6

Runtime Data

Child Processes:

cmd.exe cmd.exe

Window Title:

Microsoft Outlook

Open Handles:

Path Type
(R–) C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker File
(R-D) C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_12527_20482-20201004T1153300144.etl File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\mswsock.dll.mui File
(R-D) C:\Windows\System32\en-US\Windows.Security.Authentication.Web.Core.dll.mui File
(R-D) C:\Windows\System32\en-US\winnlsres.dll.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Users\user\Documents File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.508_none_429cdbca8a8ffa94 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\10FM_ACB_S-1-5-5-0-257318 Section
\Sessions\1\BaseNamedObjects\10FM_ACBBD_S-1-5-5-0-257318 Section
\Sessions\1\BaseNamedObjects\MAPI-1612527!4D4170490000001C1EF98E14_S-1-5-21-2047949552-857980807-821054962-504 Section
\Sessions\1\BaseNamedObjects\MAPI-1612527!80468DF40000001C1EF98E14_S-1-5-21-2047949552-857980807-821054962-504 Section
\Sessions\1\BaseNamedObjects\OfficeSharedLocks_SharedHeap_Pages_00_01_S-1-5-21-2047949552-857980807-821054962-504 Section
\Sessions\1\BaseNamedObjects\OfficeSharedLocks_SharedHeap_SharedMem_00_S-1-5-21-2047949552-857980807-821054962-504 Section
\Sessions\1\BaseNamedObjects\UrlZonesSM_user Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504 Section
\Sessions\1\Windows\Theme64749523 Section
\Windows\Theme1120315852 Section

Loaded Modules:

Path
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002CE7C9ACE7D905ED2B70000000002CE
  • Thumbprint: B10607FB914700B40F794610850C1DE0A21566C1
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Outlook.exe
  • Product Name: Microsoft Outlook
  • Company Name: Microsoft Corporation
  • File Version: 16.0.12527.20482
  • Product Version: 16.0.12527.20482
  • Language: Language Neutral
  • Legal Copyright:
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/65
  • VirusTotal Link: https://www.virustotal.com/gui/file/326f909470f562f20f0e66fefe8c9936c0cf0269d0c87d107120c5e2ac06b9b5/detection/

Possible Misuse

The following table contains possible examples of OUTLOOK.EXE being misused. While OUTLOOK.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\OUTLOOK.EXE' DRL 1.0
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml - '\outlook.exe' DRL 1.0
sigma sysmon_susp_office_dotnet_assembly_dll_load.yml - '*\outlook.exe' DRL 1.0
sigma sysmon_susp_office_dotnet_clr_dll_load.yml - '*\outlook.exe' DRL 1.0
sigma sysmon_susp_office_dotnet_gac_dll_load.yml - '*\outlook.exe' DRL 1.0
sigma sysmon_susp_office_dsparse_dll_load.yml - '*\outlook.exe' DRL 1.0
sigma sysmon_susp_office_kerberos_dll_load.yml - '*\outlook.exe' DRL 1.0
sigma sysmon_susp_winword_vbadll_load.yml - '*\outlook.exe' DRL 1.0
sigma sysmon_susp_winword_wmidll_load.yml - '*\outlook.exe' DRL 1.0
sigma win_office_shell.yml - '*\OUTLOOK.EXE' DRL 1.0
sigma win_office_spawn_exe_from_users_directory.yml - '*\OUTLOOK.EXE' DRL 1.0
sigma win_susp_outlook.yml ParentImage: '*\outlook.exe' DRL 1.0
sigma win_susp_powershell_parent_process.yml - '\outlook.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\outlook.exe' DRL 1.0
atomic-red-team T1562.001.md | excluded_process | A list of processes to exclude from scanning | string | outlook.exe| MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.